1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_ 6 #define EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_ 7 8 #include <map> 9 #include <string> 10 #include <vector> 11 12 #include "base/memory/ref_counted.h" 13 #include "base/memory/scoped_ptr.h" 14 #include "base/strings/string16.h" 15 #include "base/synchronization/lock.h" 16 #include "extensions/common/extension.h" 17 #include "extensions/common/manifest.h" 18 #include "extensions/common/permissions/api_permission.h" 19 #include "extensions/common/permissions/permission_message.h" 20 #include "extensions/common/permissions/permission_set.h" 21 22 class GURL; 23 24 namespace extensions { 25 26 class PermissionSet; 27 class Extension; 28 class URLPatternSet; 29 class UserScript; 30 31 // A container for the active permissions of an extension. 32 // TODO(rdevlin.cronin): For the love of everything good, rename this class to 33 // ActivePermissions. We do *not* need PermissionsParser, PermissionSet, 34 // PermissionInfo, and PermissionsData. No one will be able to keep them 35 // straight. 36 class PermissionsData { 37 public: 38 // The possible types of access for a given frame. 39 enum AccessType { 40 ACCESS_DENIED, // The extension is not allowed to access the given page. 41 ACCESS_ALLOWED, // The extension is allowed to access the given page. 42 ACCESS_WITHHELD // The browser must determine if the extension can access 43 // the given page. 44 }; 45 46 // Delegate class to allow different contexts (e.g. browser vs renderer) to 47 // have control over policy decisions. 48 class PolicyDelegate { 49 public: ~PolicyDelegate()50 virtual ~PolicyDelegate() {} 51 52 // Returns false if script access should be blocked on this page. 53 // Otherwise, default policy should decide. 54 virtual bool CanExecuteScriptOnPage(const Extension* extension, 55 const GURL& document_url, 56 const GURL& top_document_url, 57 int tab_id, 58 int process_id, 59 std::string* error) = 0; 60 }; 61 62 static void SetPolicyDelegate(PolicyDelegate* delegate); 63 64 PermissionsData(const Extension* extension); 65 virtual ~PermissionsData(); 66 67 // Returns true if the |extension| can silently increase its permission level. 68 // Users must approve permissions for unpacked and packed extensions in the 69 // following situations: 70 // - when installing or upgrading packed extensions 71 // - when installing unpacked extensions that have NPAPI plugins 72 // - when either type of extension requests optional permissions 73 static bool CanSilentlyIncreasePermissions(const Extension* extension); 74 75 // Returns true if the extension is a COMPONENT extension or is on the 76 // whitelist of extensions that can script all pages. 77 static bool CanExecuteScriptEverywhere(const Extension* extension); 78 79 // Returns true if we should skip the permisisons warning for the extension 80 // with the given |extension_id|. 81 static bool ShouldSkipPermissionWarnings(const std::string& extension_id); 82 83 // Returns true if the given |url| is restricted for the given |extension|, 84 // as is commonly the case for chrome:// urls. 85 // NOTE: You probably want to use CanAccessPage(). 86 static bool IsRestrictedUrl(const GURL& document_url, 87 const GURL& top_frame_url, 88 const Extension* extension, 89 std::string* error); 90 91 // Sets the runtime permissions of the given |extension| to |active| and 92 // |withheld|. 93 void SetPermissions(const scoped_refptr<const PermissionSet>& active, 94 const scoped_refptr<const PermissionSet>& withheld) const; 95 96 // Updates the tab-specific permissions of |tab_id| to include those from 97 // |permissions|. 98 void UpdateTabSpecificPermissions( 99 int tab_id, 100 scoped_refptr<const PermissionSet> permissions) const; 101 102 // Clears the tab-specific permissions of |tab_id|. 103 void ClearTabSpecificPermissions(int tab_id) const; 104 105 // Returns true if the |extension| has the given |permission|. Prefer 106 // IsExtensionWithPermissionOrSuggestInConsole when developers may be using an 107 // api that requires a permission they didn't know about, e.g. open web apis. 108 // Note this does not include APIs with no corresponding permission, like 109 // "runtime" or "browserAction". 110 // TODO(mpcomplete): drop the "API" from these names, it's confusing. 111 bool HasAPIPermission(APIPermission::ID permission) const; 112 bool HasAPIPermission(const std::string& permission_name) const; 113 bool HasAPIPermissionForTab(int tab_id, APIPermission::ID permission) const; 114 bool CheckAPIPermissionWithParam( 115 APIPermission::ID permission, 116 const APIPermission::CheckParam* param) const; 117 118 // TODO(rdevlin.cronin): GetEffectiveHostPermissions(), HasHostPermission(), 119 // and HasEffectiveAccessToAllHosts() are just forwards for the active 120 // permissions. We should either get rid of these, and have callers use 121 // active_permissions(), or should get rid of active_permissions(), and make 122 // callers use PermissionsData for everything. We should not do both. 123 124 // Returns the effective hosts associated with the active permissions. 125 const URLPatternSet& GetEffectiveHostPermissions() const; 126 127 // Whether the extension has access to the given |url|. 128 bool HasHostPermission(const GURL& url) const; 129 130 // Whether the extension has effective access to all hosts. This is true if 131 // there is a content script that matches all hosts, if there is a host 132 // permission grants access to all hosts (like <all_urls>) or an api 133 // permission that effectively grants access to all hosts (e.g. proxy, 134 // network, etc.) 135 bool HasEffectiveAccessToAllHosts() const; 136 137 // Returns the full list of permission messages that should display at 138 // install time. 139 PermissionMessages GetPermissionMessages() const; 140 141 // Returns the full list of permission messages that should display at install 142 // time as strings. 143 std::vector<base::string16> GetPermissionMessageStrings() const; 144 145 // Returns the full list of permission details for messages that should 146 // display at install time as strings. 147 std::vector<base::string16> GetPermissionMessageDetailsStrings() const; 148 149 // Returns true if the extension has requested all-hosts permissions (or 150 // something close to it), but has had it withheld. 151 bool HasWithheldImpliedAllHosts() const; 152 153 // Returns true if the |extension| has permission to access and interact with 154 // the specified page, in order to do things like inject scripts or modify 155 // the content. 156 // If this returns false and |error| is non-NULL, |error| will be popualted 157 // with the reason the extension cannot access the page. 158 bool CanAccessPage(const Extension* extension, 159 const GURL& document_url, 160 const GURL& top_document_url, 161 int tab_id, 162 int process_id, 163 std::string* error) const; 164 // Like CanAccessPage, but also takes withheld permissions into account. 165 // TODO(rdevlin.cronin) We shouldn't have two functions, but not all callers 166 // know how to wait for permission. 167 AccessType GetPageAccess(const Extension* extension, 168 const GURL& document_url, 169 const GURL& top_document_url, 170 int tab_id, 171 int process_id, 172 std::string* error) const; 173 174 // Returns true if the |extension| has permission to inject a content script 175 // on the page. 176 // If this returns false and |error| is non-NULL, |error| will be popualted 177 // with the reason the extension cannot script the page. 178 // NOTE: You almost certainly want to use CanAccessPage() instead of this 179 // method. 180 bool CanRunContentScriptOnPage(const Extension* extension, 181 const GURL& document_url, 182 const GURL& top_document_url, 183 int tab_id, 184 int process_id, 185 std::string* error) const; 186 // Like CanRunContentScriptOnPage, but also takes withheld permissions into 187 // account. 188 // TODO(rdevlin.cronin) We shouldn't have two functions, but not all callers 189 // know how to wait for permission. 190 AccessType GetContentScriptAccess(const Extension* extension, 191 const GURL& document_url, 192 const GURL& top_document_url, 193 int tab_id, 194 int process_id, 195 std::string* error) const; 196 197 // Returns true if extension is allowed to obtain the contents of a page as 198 // an image. Since a page may contain sensitive information, this is 199 // restricted to the extension's host permissions as well as the extension 200 // page itself. 201 bool CanCaptureVisiblePage(int tab_id, std::string* error) const; 202 active_permissions()203 const scoped_refptr<const PermissionSet>& active_permissions() const { 204 // TODO(dcheng): What is the point of this lock? 205 base::AutoLock auto_lock(runtime_lock_); 206 return active_permissions_unsafe_; 207 } 208 withheld_permissions()209 const scoped_refptr<const PermissionSet>& withheld_permissions() const { 210 // TODO(dcheng): What is the point of this lock? 211 return withheld_permissions_unsafe_; 212 } 213 214 #if defined(UNIT_TEST) GetTabSpecificPermissionsForTesting(int tab_id)215 scoped_refptr<const PermissionSet> GetTabSpecificPermissionsForTesting( 216 int tab_id) const { 217 return GetTabSpecificPermissions(tab_id); 218 } 219 #endif 220 221 private: 222 typedef std::map<int, scoped_refptr<const PermissionSet> > TabPermissionsMap; 223 224 // Gets the tab-specific host permissions of |tab_id|, or NULL if there 225 // aren't any. 226 scoped_refptr<const PermissionSet> GetTabSpecificPermissions( 227 int tab_id) const; 228 229 // Returns true if the |extension| has tab-specific permission to operate on 230 // the tab specified by |tab_id| with the given |url|. 231 // Note that if this returns false, it doesn't mean the extension can't run on 232 // the given tab, only that it does not have tab-specific permission to do so. 233 bool HasTabSpecificPermissionToExecuteScript(int tab_id, 234 const GURL& url) const; 235 236 // Returns whether or not the extension is permitted to run on the given page, 237 // checking against |permitted_url_patterns| in addition to blocking special 238 // sites (like the webstore or chrome:// urls). 239 AccessType CanRunOnPage(const Extension* extension, 240 const GURL& document_url, 241 const GURL& top_document_url, 242 int tab_id, 243 int process_id, 244 const URLPatternSet& permitted_url_patterns, 245 const URLPatternSet& withheld_url_patterns, 246 std::string* error) const; 247 248 // The associated extension's id. 249 std::string extension_id_; 250 251 // The associated extension's manifest type. 252 Manifest::Type manifest_type_; 253 254 mutable base::Lock runtime_lock_; 255 256 // The permission's which are currently active on the extension during 257 // runtime. 258 // Unsafe indicates that we must lock anytime this is directly accessed. 259 // Unless you need to change |active_permissions_unsafe_|, use the (safe) 260 // active_permissions() accessor. 261 mutable scoped_refptr<const PermissionSet> active_permissions_unsafe_; 262 263 // The permissions the extension requested, but was not granted due because 264 // they are too powerful. This includes things like all_hosts. 265 // Unsafe indicates that we must lock anytime this is directly accessed. 266 // Unless you need to change |withheld_permissions_unsafe_|, use the (safe) 267 // withheld_permissions() accessor. 268 mutable scoped_refptr<const PermissionSet> withheld_permissions_unsafe_; 269 270 mutable TabPermissionsMap tab_specific_permissions_; 271 272 DISALLOW_COPY_AND_ASSIGN(PermissionsData); 273 }; 274 275 } // namespace extensions 276 277 #endif // EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_ 278