extensions/common/permissions/permissions_data.h

   1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_
   6 #define EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_
   7
   8 #include <map>
   9 #include <string>
  10 #include <vector>
  11
  12 #include "base/memory/ref_counted.h"
  13 #include "base/strings/string16.h"
  14 #include "base/synchronization/lock.h"
  15 #include "extensions/common/manifest.h"
  16 #include "extensions/common/permissions/api_permission.h"
  17 #include "extensions/common/permissions/coalesced_permission_message.h"
  18 #include "extensions/common/permissions/permission_message.h"
  19 #include "extensions/common/permissions/permission_set.h"
  20
  21 class GURL;
  22
  23 namespace extensions {
  24 class Extension;
  25 class URLPatternSet;
  26
  27 // A container for the permissions state of an extension, including active,
  28 // withheld, and tab-specific permissions.
  29 class PermissionsData {
  30  public:
  31   // The possible types of access for a given frame.
  32   enum AccessType {
  33     ACCESS_DENIED,   // The extension is not allowed to access the given page.
  34     ACCESS_ALLOWED,  // The extension is allowed to access the given page.
  35     ACCESS_WITHHELD  // The browser must determine if the extension can access
  36                      // the given page.
  37   };
  38
  39   using TabPermissionsMap = std::map<int, scoped_refptr<const PermissionSet>>;
  40
  41   // Delegate class to allow different contexts (e.g. browser vs renderer) to
  42   // have control over policy decisions.
  43   class PolicyDelegate {
  44    public:
  45     virtual ~PolicyDelegate() {}
  46
  47     // Returns false if script access should be blocked on this page.
  48     // Otherwise, default policy should decide.
  49     virtual bool CanExecuteScriptOnPage(const Extension* extension,
  50                                         const GURL& document_url,
  51                                         const GURL& top_document_url,
  52                                         int tab_id,
  53                                         int process_id,
  54                                         std::string* error) = 0;
  55   };
  56
  57   static void SetPolicyDelegate(PolicyDelegate* delegate);
  58
  59   PermissionsData(const Extension* extension);
  60   virtual ~PermissionsData();
  61
  62   // Returns true if the extension is a COMPONENT extension or is on the
  63   // whitelist of extensions that can script all pages.
  64   static bool CanExecuteScriptEverywhere(const Extension* extension);
  65
  66   // Returns true if the --scripts-require-action flag would possibly affect
  67   // the given |extension| and |permissions|. We pass in the |permissions|
  68   // explicitly, as we may need to check with permissions other than the ones
  69   // that are currently on the extension's PermissionsData.
  70   static bool ScriptsMayRequireActionForExtension(
  71       const Extension* extension,
  72       const PermissionSet* permissions);
  73
  74   // Returns true if we should skip the permisisons warning for the extension
  75   // with the given |extension_id|.
  76   static bool ShouldSkipPermissionWarnings(const std::string& extension_id);
  77
  78   // Returns true if the given |url| is restricted for the given |extension|,
  79   // as is commonly the case for chrome:// urls.
  80   // NOTE: You probably want to use CanAccessPage().
  81   static bool IsRestrictedUrl(const GURL& document_url,
  82                               const GURL& top_frame_url,
  83                               const Extension* extension,
  84                               std::string* error);
  85
  86   // Sets the runtime permissions of the given |extension| to |active| and
  87   // |withheld|.
  88   void SetPermissions(const scoped_refptr<const PermissionSet>& active,
  89                       const scoped_refptr<const PermissionSet>& withheld) const;
  90
  91   // Updates the tab-specific permissions of |tab_id| to include those from
  92   // |permissions|.
  93   void UpdateTabSpecificPermissions(
  94       int tab_id,
  95       scoped_refptr<const PermissionSet> permissions) const;
  96
  97   // Clears the tab-specific permissions of |tab_id|.
  98   void ClearTabSpecificPermissions(int tab_id) const;
  99
 100   // Returns true if the |extension| has the given |permission|. Prefer
 101   // IsExtensionWithPermissionOrSuggestInConsole when developers may be using an
 102   // api that requires a permission they didn't know about, e.g. open web apis.
 103   // Note this does not include APIs with no corresponding permission, like
 104   // "runtime" or "browserAction".
 105   // TODO(mpcomplete): drop the "API" from these names, it's confusing.
 106   bool HasAPIPermission(APIPermission::ID permission) const;
 107   bool HasAPIPermission(const std::string& permission_name) const;
 108   bool HasAPIPermissionForTab(int tab_id, APIPermission::ID permission) const;
 109   bool CheckAPIPermissionWithParam(
 110       APIPermission::ID permission,
 111       const APIPermission::CheckParam* param) const;
 112
 113   // Returns the hosts this extension effectively has access to, including
 114   // explicit and scriptable hosts, and any hosts on tabs the extension has
 115   // active tab permissions for.
 116   URLPatternSet GetEffectiveHostPermissions() const;
 117
 118   // TODO(rdevlin.cronin): HasHostPermission() and
 119   // HasEffectiveAccessToAllHosts() are just forwards for the active
 120   // permissions. We should either get rid of these, and have callers use
 121   // active_permissions(), or should get rid of active_permissions(), and make
 122   // callers use PermissionsData for everything. We should not do both.
 123
 124   // Whether the extension has access to the given |url|.
 125   bool HasHostPermission(const GURL& url) const;
 126
 127   // Whether the extension has effective access to all hosts. This is true if
 128   // there is a content script that matches all hosts, if there is a host
 129   // permission grants access to all hosts (like <all_urls>) or an api
 130   // permission that effectively grants access to all hosts (e.g. proxy,
 131   // network, etc.)
 132   bool HasEffectiveAccessToAllHosts() const;
 133
 134   // Returns the full list of permission messages that should display at
 135   // install time.
 136   // TODO(sashab): Deprecate this in favor of GetCoalescedPermissionMessages().
 137   PermissionMessages GetPermissionMessages() const;
 138
 139   // Returns the full list of permission messages that should display at install
 140   // time as strings.
 141   // TODO(sashab): Deprecate this in favor of GetCoalescedPermissionMessages().
 142   std::vector<base::string16> GetPermissionMessageStrings() const;
 143
 144   // Returns the full list of permission details for messages that should
 145   // display at install time as strings.
 146   // TODO(sashab): Deprecate this in favor of GetCoalescedPermissionMessages().
 147   std::vector<base::string16> GetPermissionMessageDetailsStrings() const;
 148
 149   // Returns the full list of permission details for messages that should
 150   // display at install time, in a nested format ready for display.
 151   CoalescedPermissionMessages GetCoalescedPermissionMessages() const;
 152
 153   // Returns true if the extension has requested all-hosts permissions (or
 154   // something close to it), but has had it withheld.
 155   bool HasWithheldImpliedAllHosts() const;
 156
 157   // Returns true if the |extension| has permission to access and interact with
 158   // the specified page, in order to do things like inject scripts or modify
 159   // the content.
 160   // If this returns false and |error| is non-NULL, |error| will be popualted
 161   // with the reason the extension cannot access the page.
 162   bool CanAccessPage(const Extension* extension,
 163                      const GURL& document_url,
 164                      const GURL& top_document_url,
 165                      int tab_id,
 166                      int process_id,
 167                      std::string* error) const;
 168   // Like CanAccessPage, but also takes withheld permissions into account.
 169   // TODO(rdevlin.cronin) We shouldn't have two functions, but not all callers
 170   // know how to wait for permission.
 171   AccessType GetPageAccess(const Extension* extension,
 172                            const GURL& document_url,
 173                            const GURL& top_document_url,
 174                            int tab_id,
 175                            int process_id,
 176                            std::string* error) const;
 177
 178   // Returns true if the |extension| has permission to inject a content script
 179   // on the page.
 180   // If this returns false and |error| is non-NULL, |error| will be popualted
 181   // with the reason the extension cannot script the page.
 182   // NOTE: You almost certainly want to use CanAccessPage() instead of this
 183   // method.
 184   bool CanRunContentScriptOnPage(const Extension* extension,
 185                                  const GURL& document_url,
 186                                  const GURL& top_document_url,
 187                                  int tab_id,
 188                                  int process_id,
 189                                  std::string* error) const;
 190   // Like CanRunContentScriptOnPage, but also takes withheld permissions into
 191   // account.
 192   // TODO(rdevlin.cronin) We shouldn't have two functions, but not all callers
 193   // know how to wait for permission.
 194   AccessType GetContentScriptAccess(const Extension* extension,
 195                                     const GURL& document_url,
 196                                     const GURL& top_document_url,
 197                                     int tab_id,
 198                                     int process_id,
 199                                     std::string* error) const;
 200
 201   // Returns true if extension is allowed to obtain the contents of a page as
 202   // an image. Since a page may contain sensitive information, this is
 203   // restricted to the extension's host permissions as well as the extension
 204   // page itself.
 205   bool CanCaptureVisiblePage(int tab_id, std::string* error) const;
 206
 207   const scoped_refptr<const PermissionSet>& active_permissions() const {
 208     // We lock so that we can't also be setting the permissions while returning.
 209     base::AutoLock auto_lock(runtime_lock_);
 210     return active_permissions_unsafe_;
 211   }
 212
 213   const scoped_refptr<const PermissionSet>& withheld_permissions() const {
 214     // We lock so that we can't also be setting the permissions while returning.
 215     base::AutoLock auto_lock(runtime_lock_);
 216     return withheld_permissions_unsafe_;
 217   }
 218
 219   const TabPermissionsMap& tab_specific_permissions() const {
 220     // We lock so that we can't also be setting the permissions while returning.
 221     base::AutoLock auto_lock(runtime_lock_);
 222     return tab_specific_permissions_;
 223   }
 224
 225 #if defined(UNIT_TEST)
 226   scoped_refptr<const PermissionSet> GetTabSpecificPermissionsForTesting(
 227       int tab_id) const {
 228     return GetTabSpecificPermissions(tab_id);
 229   }
 230 #endif
 231
 232  private:
 233   // Gets the tab-specific host permissions of |tab_id|, or NULL if there
 234   // aren't any.
 235   scoped_refptr<const PermissionSet> GetTabSpecificPermissions(
 236       int tab_id) const;
 237
 238   // Returns true if the |extension| has tab-specific permission to operate on
 239   // the tab specified by |tab_id| with the given |url|.
 240   // Note that if this returns false, it doesn't mean the extension can't run on
 241   // the given tab, only that it does not have tab-specific permission to do so.
 242   bool HasTabSpecificPermissionToExecuteScript(int tab_id,
 243                                                const GURL& url) const;
 244
 245   // Returns whether or not the extension is permitted to run on the given page,
 246   // checking against |permitted_url_patterns| in addition to blocking special
 247   // sites (like the webstore or chrome:// urls).
 248   AccessType CanRunOnPage(const Extension* extension,
 249                           const GURL& document_url,
 250                           const GURL& top_document_url,
 251                           int tab_id,
 252                           int process_id,
 253                           const URLPatternSet& permitted_url_patterns,
 254                           const URLPatternSet& withheld_url_patterns,
 255                           std::string* error) const;
 256
 257   // The associated extension's id.
 258   std::string extension_id_;
 259
 260   // The associated extension's manifest type.
 261   Manifest::Type manifest_type_;
 262
 263   mutable base::Lock runtime_lock_;
 264
 265   // The permission's which are currently active on the extension during
 266   // runtime.
 267   // Unsafe indicates that we must lock anytime this is directly accessed.
 268   // Unless you need to change |active_permissions_unsafe_|, use the (safe)
 269   // active_permissions() accessor.
 270   mutable scoped_refptr<const PermissionSet> active_permissions_unsafe_;
 271
 272   // The permissions the extension requested, but was not granted due because
 273   // they are too powerful. This includes things like all_hosts.
 274   // Unsafe indicates that we must lock anytime this is directly accessed.
 275   // Unless you need to change |withheld_permissions_unsafe_|, use the (safe)
 276   // withheld_permissions() accessor.
 277   mutable scoped_refptr<const PermissionSet> withheld_permissions_unsafe_;
 278
 279   mutable TabPermissionsMap tab_specific_permissions_;
 280
 281   DISALLOW_COPY_AND_ASSIGN(PermissionsData);
 282 };
 283
 284 }  // namespace extensions
 285
 286 #endif  // EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_