// Copyright (c) 2013 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_ #define EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_ #include #include #include #include "base/macros.h" #include "base/memory/ref_counted.h" #include "base/synchronization/lock.h" #include "base/threading/thread_checker.h" #include "extensions/common/extension_id.h" #include "extensions/common/manifest.h" #include "extensions/common/permissions/api_permission.h" #include "extensions/common/permissions/permission_message.h" #include "extensions/common/permissions/permission_set.h" class GURL; namespace extensions { class URLPatternSet; // A container for the permissions state of an extension, including active, // withheld, and tab-specific permissions. // Thread-Safety: Since this is an object on the Extension object, *some* thread // safety is provided. All utility functions for checking if a permission is // present or an operation is allowed are thread-safe. However, permissions can // only be set (or updated) on the thread to which this object is bound. // Permissions may be accessed synchronously on that same thread. // Accessing on an improper thread will DCHECK(). // This is necessary to prevent a scenario in which one thread will access // permissions while another thread changes them. class PermissionsData { public: // The possible types of access for a given page. // TODO(devlin): Sometimes, this is used for things beyond just a "page", // such as network request interception or access to a particular frame. // Should we update this? If so, we should also update the titles of the // GetPageAccess()/CanAccessPage() methods below. enum class PageAccess { kDenied, // The extension is not allowed to access the given page. kAllowed, // The extension is allowed to access the given page. kWithheld, // The browser must determine if the extension can access // the given page. }; using TabPermissionsMap = std::map>; // Delegate class to allow different contexts (e.g. browser vs renderer) to // have control over policy decisions. class PolicyDelegate { public: virtual ~PolicyDelegate() {} // Returns true if script access should be blocked on this page. // Otherwise, default policy should decide. virtual bool IsRestrictedUrl(const GURL& document_url, std::string* error) = 0; }; static void SetPolicyDelegate(PolicyDelegate* delegate); PermissionsData(const ExtensionId& extension_id, Manifest::Type manifest_type, Manifest::Location location, std::unique_ptr initial_permissions); virtual ~PermissionsData(); // Returns true if the extension is a COMPONENT extension or is on the // whitelist of extensions that can script all pages. // NOTE: This is static because it is used during extension initialization, // before the extension has an associated PermissionsData object. static bool CanExecuteScriptEverywhere(const ExtensionId& extension_id, Manifest::Location location); // Returns true if the given |url| is restricted for the given |extension|, // as is commonly the case for chrome:// urls. // NOTE: You probably want to use CanAccessPage(). bool IsRestrictedUrl(const GURL& document_url, std::string* error) const; // Returns true if the "all_urls" meta-pattern should include access to // URLs with the "chrome" scheme. Access to these URLs is limited as they // are sensitive. static bool AllUrlsIncludesChromeUrls(const std::string& extension_id); // Is this extension using the default scope for policy_blocked_hosts and // policy_allowed_hosts of the ExtensionSettings policy. bool UsesDefaultPolicyHostRestrictions() const; // Locks the permissions data to the current thread. We don't do this on // construction, since extensions are initialized across multiple threads. void BindToCurrentThread() const; // Sets the runtime permissions of the given |extension| to |active| and // |withheld|. void SetPermissions(std::unique_ptr active, std::unique_ptr withheld) const; // Applies restrictions from enterprise policy limiting which URLs this // extension can interact with. The same policy can also define a default set // of URL restrictions using SetDefaultPolicyHostRestrictions. This function // overrides any default host restriction policy. void SetPolicyHostRestrictions( const URLPatternSet& policy_blocked_hosts, const URLPatternSet& policy_allowed_hosts) const; // Marks this extension as using default enterprise policy limiting // which URLs extensions can interact with. A default policy can be set with // SetDefaultPolicyHostRestrictions. A policy specific to this extension // can be set with SetPolicyHostRestrictions. void SetUsesDefaultHostRestrictions() const; // Applies restrictions from enterprise policy limiting which URLs all // extensions can interact with. This restriction can be overridden on a // per-extension basis with SetPolicyHostRestrictions. static void SetDefaultPolicyHostRestrictions( const URLPatternSet& default_policy_blocked_hosts, const URLPatternSet& default_policy_allowed_hosts); // Sets the active permissions, leaving withheld the same. void SetActivePermissions(std::unique_ptr active) const; // Updates the tab-specific permissions of |tab_id| to include those from // |permissions|. void UpdateTabSpecificPermissions(int tab_id, const PermissionSet& permissions) const; // Clears the tab-specific permissions of |tab_id|. void ClearTabSpecificPermissions(int tab_id) const; // Returns true if the |extension| has the given |permission|. Prefer // IsExtensionWithPermissionOrSuggestInConsole when developers may be using an // api that requires a permission they didn't know about, e.g. open web apis. // Note this does not include APIs with no corresponding permission, like // "runtime" or "browserAction". // TODO(mpcomplete): drop the "API" from these names, it's confusing. bool HasAPIPermission(APIPermission::ID permission) const; bool HasAPIPermission(const std::string& permission_name) const; bool HasAPIPermissionForTab(int tab_id, APIPermission::ID permission) const; bool CheckAPIPermissionWithParam( APIPermission::ID permission, const APIPermission::CheckParam* param) const; // Returns the hosts this extension effectively has access to, including // explicit and scriptable hosts, and any hosts on tabs the extension has // active tab permissions for. URLPatternSet GetEffectiveHostPermissions() const; // TODO(rdevlin.cronin): HasHostPermission() and // HasEffectiveAccessToAllHosts() are just forwards for the active // permissions. We should either get rid of these, and have callers use // active_permissions(), or should get rid of active_permissions(), and make // callers use PermissionsData for everything. We should not do both. // Whether the extension has access to the given |url|. bool HasHostPermission(const GURL& url) const; // Whether the extension has effective access to all hosts. This is true if // there is a content script that matches all hosts, if there is a host // permission grants access to all hosts (like ) or an api // permission that effectively grants access to all hosts (e.g. proxy, // network, etc.) bool HasEffectiveAccessToAllHosts() const; // Returns the full list of permission details for messages that should // display at install time, in a nested format ready for display. PermissionMessages GetPermissionMessages() const; // Returns the list of permission details for permissions that are included in // active_permissions(), but not present in |granted_permissions|. These are // returned in a nested format, ready for display. PermissionMessages GetNewPermissionMessages( const PermissionSet& granted_permissions) const; // Returns true if the associated extension has permission to access and // interact with the specified page, in order to do things like inject // scripts or modify the content. // If this returns false and |error| is non-NULL, |error| will be popualted // with the reason the extension cannot access the page. bool CanAccessPage(const GURL& document_url, int tab_id, std::string* error) const; // Like CanAccessPage, but also takes withheld permissions into account. // TODO(rdevlin.cronin) We shouldn't have two functions, but not all callers // know how to wait for permission. PageAccess GetPageAccess(const GURL& document_url, int tab_id, std::string* error) const; // Returns true if the associated extension has permission to inject a // content script on the page. // If this returns false and |error| is non-NULL, |error| will be popualted // with the reason the extension cannot script the page. // NOTE: You almost certainly want to use CanAccessPage() instead of this // method. bool CanRunContentScriptOnPage(const GURL& document_url, int tab_id, std::string* error) const; // Like CanRunContentScriptOnPage, but also takes withheld permissions into // account. // TODO(rdevlin.cronin) We shouldn't have two functions, but not all callers // know how to wait for permission. PageAccess GetContentScriptAccess(const GURL& document_url, int tab_id, std::string* error) const; // Returns true if the associated extension is allowed to obtain the contents // of a page as an image. Pages may contain multiple sources (e.g., // example.com may embed google.com), so simply checking the top-frame's URL // is insufficient. // Instead: // - If the page is a chrome:// page, require activeTab. // - For all other pages, require host permissions to the document // (GetPageAccess()) and one of either or granted activeTab. bool CanCaptureVisiblePage(const GURL& document_url, int tab_id, std::string* error) const; const TabPermissionsMap& tab_specific_permissions() const { DCHECK(!thread_checker_ || thread_checker_->CalledOnValidThread()); return tab_specific_permissions_; } const PermissionSet& active_permissions() const { DCHECK(!thread_checker_ || thread_checker_->CalledOnValidThread()); return *active_permissions_unsafe_; } const PermissionSet& withheld_permissions() const { DCHECK(!thread_checker_ || thread_checker_->CalledOnValidThread()); return *withheld_permissions_unsafe_; } // Returns list of hosts this extension may not interact with by policy. // This should only be used for 1. Serialization when initializing renderers // or 2. Called from utility methods above. For all other uses, call utility // methods instead (e.g. CanAccessPage()). static const URLPatternSet& default_policy_blocked_hosts(); // Returns list of hosts this extension may interact with regardless of // what is defined by policy_blocked_hosts(). // This should only be used for 1. Serialization when initializing renderers // or 2. Called from utility methods above. For all other uses, call utility // methods instead (e.g. CanAccessPage()). static const URLPatternSet& default_policy_allowed_hosts(); // Returns list of hosts this extension may not interact with by policy. // This should only be used for 1. Serialization when initializing renderers // or 2. Called from utility methods above. For all other uses, call utility // methods instead (e.g. CanAccessPage()). const URLPatternSet policy_blocked_hosts() const; // Returns list of hosts this extension may interact with regardless of // what is defined by policy_blocked_hosts(). // This should only be used for 1. Serialization when initializing renderers // or 2. Called from utility methods above. For all other uses, call utility // methods instead (e.g. CanAccessPage()). const URLPatternSet policy_allowed_hosts() const; // Check if a specific URL is blocked by policy from extension use at runtime. bool IsPolicyBlockedHost(const GURL& url) const { base::AutoLock auto_lock(runtime_lock_); return IsPolicyBlockedHostUnsafe(url); } #if defined(UNIT_TEST) const PermissionSet* GetTabSpecificPermissionsForTesting(int tab_id) const { base::AutoLock auto_lock(runtime_lock_); return GetTabSpecificPermissions(tab_id); } #endif private: // Gets the tab-specific host permissions of |tab_id|, or NULL if there // aren't any. // Must be called with |runtime_lock_| acquired. const PermissionSet* GetTabSpecificPermissions(int tab_id) const; // Returns whether or not the extension is permitted to run on the given page, // checking against |permitted_url_patterns| and |tab_url_patterns| in // addition to blocking special sites (like the webstore or chrome:// urls). // Must be called with |runtime_lock_| acquired. PageAccess CanRunOnPage(const GURL& document_url, int tab_id, const URLPatternSet& permitted_url_patterns, const URLPatternSet& withheld_url_patterns, const URLPatternSet* tab_url_patterns, std::string* error) const; // Check if a specific URL is blocked by policy from extension use at runtime. // You must acquire the runtime_lock_ before calling. bool IsPolicyBlockedHostUnsafe(const GURL& url) const; // Same as policy_blocked_hosts but instead returns a reference. // You must acquire runtime_lock_ before calling this. const URLPatternSet& PolicyBlockedHostsUnsafe() const; // Same as policy_allowed_hosts but instead returns a reference. // You must acquire runtime_lock_ before calling this. const URLPatternSet& PolicyAllowedHostsUnsafe() const; // The associated extension's id. std::string extension_id_; // The associated extension's manifest type. Manifest::Type manifest_type_; // The associated extension's location. Manifest::Location location_; mutable base::Lock runtime_lock_; // The permission's which are currently active on the extension during // runtime. // Unsafe indicates that we must lock anytime this is directly accessed. // Unless you need to change |active_permissions_unsafe_|, use the (safe) // active_permissions() accessor. mutable std::unique_ptr active_permissions_unsafe_; // The permissions the extension requested, but was not granted due because // they are too powerful. This includes things like all_hosts. // Unsafe indicates that we must lock anytime this is directly accessed. // Unless you need to change |withheld_permissions_unsafe_|, use the (safe) // withheld_permissions() accessor. mutable std::unique_ptr withheld_permissions_unsafe_; // The list of hosts an extension may not interact with by policy. // Unless you need to change |policy_blocked_hosts_unsafe_|, use the (safe) // policy_blocked_hosts() accessor. mutable URLPatternSet policy_blocked_hosts_unsafe_; // The exclusive list of hosts an extension may interact with by policy. // Unless you need to change |policy_allowed_hosts_unsafe_|, use the (safe) // policy_allowed_hosts() accessor. mutable URLPatternSet policy_allowed_hosts_unsafe_; // If the ExtensionSettings policy is not being used, or no per-extension // exception to the default policy was declared for this extension. mutable bool uses_default_policy_host_restrictions = true; mutable TabPermissionsMap tab_specific_permissions_; mutable std::unique_ptr thread_checker_; DISALLOW_COPY_AND_ASSIGN(PermissionsData); }; } // namespace extensions #endif // EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_