search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Extensions: Remove the legacy GetMessages/HasMessages
[chromium-blink-merge.git] / chrome / common / extensions / permissions / permission_set_unittest.cc
blobe62a5109a902e7d23950a1c0e20fd890d253c5b2
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/command_line.h"
6 #include "base/json/json_file_value_serializer.h"
7 #include "base/logging.h"
8 #include "base/strings/string_number_conversions.h"
9 #include "base/strings/stringprintf.h"
10 #include "base/strings/utf_string_conversions.h"
11 #include "chrome/common/chrome_paths.h"
12 #include "chrome/common/chrome_switches.h"
13 #include "chrome/common/extensions/extension_test_util.h"
14 #include "chrome/common/extensions/features/feature_channel.h"
15 #include "chrome/common/extensions/permissions/chrome_permission_message_provider.h"
16 #include "chrome/grit/generated_resources.h"
17 #include "components/version_info/version_info.h"
18 #include "extensions/common/error_utils.h"
19 #include "extensions/common/extension.h"
20 #include "extensions/common/extension_builder.h"
21 #include "extensions/common/permissions/permission_message_provider.h"
22 #include "extensions/common/permissions/permission_message_test_util.h"
23 #include "extensions/common/permissions/permission_message_util.h"
24 #include "extensions/common/permissions/permission_set.h"
25 #include "extensions/common/permissions/permissions_data.h"
26 #include "extensions/common/permissions/permissions_info.h"
27 #include "extensions/common/permissions/socket_permission.h"
28 #include "extensions/common/value_builder.h"
29 #include "extensions/strings/grit/extensions_strings.h"
30 #include "testing/gtest/include/gtest/gtest.h"
31 #include "ui/base/l10n/l10n_util.h"
32
33 using extension_test_util::LoadManifest;
34
35 namespace extensions {
36
37 namespace {
38
39 static void AddPattern(URLPatternSet* extent, const std::string& pattern) {
40 int schemes = URLPattern::SCHEME_ALL;
41 extent->AddPattern(URLPattern(schemes, pattern));
42 }
43
44 size_t IndexOf(const CoalescedPermissionMessages& warnings,
45 const std::string& warning) {
46 size_t i = 0;
47 for (const CoalescedPermissionMessage& msg : warnings) {
48 if (msg.message() == base::ASCIIToUTF16(warning))
49 return i;
50 ++i;
51 }
52
53 return warnings.size();
54 }
55
56 PermissionIDSet MakePermissionIDSet(APIPermission::ID id) {
57 PermissionIDSet set;
58 set.insert(id);
59 return set;
60 }
61
62 PermissionIDSet MakePermissionIDSet(APIPermission::ID id1,
63 APIPermission::ID id2) {
64 PermissionIDSet set;
65 set.insert(id1);
66 set.insert(id2);
67 return set;
68 }
69
70 PermissionIDSet MakePermissionIDSet(const APIPermissionSet& permissions) {
71 PermissionIDSet set;
72 for (const APIPermission* permission : permissions)
73 set.insert(permission->id());
74 return set;
75 }
76
77 std::string PermissionIDsToString(const PermissionIDSet& ids) {
78 std::vector<std::string> strs;
79 for (const PermissionID& id : ids)
80 strs.push_back(base::IntToString(id.id()));
81 return base::StringPrintf("[ %s ]", base::JoinString(strs, ", ").c_str());
82 }
83
84 std::string CoalescedPermissionIDsToString(
85 const CoalescedPermissionMessages& msgs) {
86 std::vector<std::string> strs;
87 for (const CoalescedPermissionMessage& msg : msgs)
88 strs.push_back(PermissionIDsToString(msg.permissions()));
89 return base::JoinString(strs, " ");
90 }
91
92 // Check that the given |permissions| produce a single warning message,
93 // identified by the set of |expected_ids|.
94 testing::AssertionResult PermissionSetProducesMessage(
95 const PermissionSet* permissions,
96 Manifest::Type extension_type,
97 const PermissionIDSet& expected_ids) {
98 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
99
100 CoalescedPermissionMessages msgs = provider->GetPermissionMessages(
101 provider->GetAllPermissionIDs(permissions, extension_type));
102 if (msgs.size() != 1) {
103 return testing::AssertionFailure()
104 << "Expected single permission message with IDs "
105 << PermissionIDsToString(expected_ids) << " but got " << msgs.size()
106 << " messages: " << CoalescedPermissionIDsToString(msgs);
107 }
108 if (!msgs.front().permissions().Equals(expected_ids)) {
109 return testing::AssertionFailure()
110 << "Expected permission IDs " << PermissionIDsToString(expected_ids)
111 << " but got " << PermissionIDsToString(msgs.front().permissions());
112 }
113
114 return testing::AssertionSuccess();
115 }
116
117 } // namespace
118
119 // Tests GetByID.
120 TEST(PermissionsTest, GetByID) {
121 PermissionsInfo* info = PermissionsInfo::GetInstance();
122 APIPermissionSet apis = info->GetAll();
123 for (APIPermissionSet::const_iterator i = apis.begin();
124 i != apis.end(); ++i) {
125 EXPECT_EQ(i->id(), i->info()->id());
126 }
127 }
128
129 // Tests that GetByName works with normal permission names and aliases.
130 TEST(PermissionsTest, GetByName) {
131 PermissionsInfo* info = PermissionsInfo::GetInstance();
132 EXPECT_EQ(APIPermission::kTab, info->GetByName("tabs")->id());
133 EXPECT_EQ(APIPermission::kManagement,
134 info->GetByName("management")->id());
135 EXPECT_FALSE(info->GetByName("alsdkfjasldkfj"));
136 }
137
138 TEST(PermissionsTest, GetAll) {
139 size_t count = 0;
140 PermissionsInfo* info = PermissionsInfo::GetInstance();
141 APIPermissionSet apis = info->GetAll();
142 for (APIPermissionSet::const_iterator api = apis.begin();
143 api != apis.end(); ++api) {
144 // Make sure only the valid permission IDs get returned.
145 EXPECT_NE(APIPermission::kInvalid, api->id());
146 EXPECT_NE(APIPermission::kUnknown, api->id());
147 count++;
148 }
149 EXPECT_EQ(count, info->get_permission_count());
150 }
151
152 TEST(PermissionsTest, GetAllByName) {
153 std::set<std::string> names;
154 names.insert("background");
155 names.insert("management");
156
157 // This is an alias of kTab
158 names.insert("windows");
159
160 // This unknown name should get dropped.
161 names.insert("sdlkfjasdlkfj");
162
163 APIPermissionSet expected;
164 expected.insert(APIPermission::kBackground);
165 expected.insert(APIPermission::kManagement);
166 expected.insert(APIPermission::kTab);
167
168 EXPECT_EQ(expected,
169 PermissionsInfo::GetInstance()->GetAllByName(names));
170 }
171
172 // Tests that the aliases are properly mapped.
173 TEST(PermissionsTest, Aliases) {
174 PermissionsInfo* info = PermissionsInfo::GetInstance();
175 // tabs: tabs, windows
176 std::string tabs_name = "tabs";
177 EXPECT_EQ(tabs_name, info->GetByID(APIPermission::kTab)->name());
178 EXPECT_EQ(APIPermission::kTab, info->GetByName("tabs")->id());
179 EXPECT_EQ(APIPermission::kTab, info->GetByName("windows")->id());
180
181 // unlimitedStorage: unlimitedStorage, unlimited_storage
182 std::string storage_name = "unlimitedStorage";
183 EXPECT_EQ(storage_name, info->GetByID(
184 APIPermission::kUnlimitedStorage)->name());
185 EXPECT_EQ(APIPermission::kUnlimitedStorage,
186 info->GetByName("unlimitedStorage")->id());
187 EXPECT_EQ(APIPermission::kUnlimitedStorage,
188 info->GetByName("unlimited_storage")->id());
189 }
190
191 TEST(PermissionsTest, EffectiveHostPermissions) {
192 scoped_refptr<Extension> extension;
193 scoped_refptr<const PermissionSet> permissions;
194
195 extension = LoadManifest("effective_host_permissions", "empty.json");
196 permissions = extension->permissions_data()->active_permissions();
197 EXPECT_EQ(0u,
198 extension->permissions_data()
199 ->GetEffectiveHostPermissions()
200 .patterns()
201 .size());
202 EXPECT_FALSE(
203 permissions->HasEffectiveAccessToURL(GURL("http://www.google.com")));
204 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
205
206 extension = LoadManifest("effective_host_permissions", "one_host.json");
207 permissions = extension->permissions_data()->active_permissions();
208 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
209 GURL("http://www.google.com")));
210 EXPECT_FALSE(permissions->HasEffectiveAccessToURL(
211 GURL("https://www.google.com")));
212 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
213
214 extension = LoadManifest("effective_host_permissions",
215 "one_host_wildcard.json");
216 permissions = extension->permissions_data()->active_permissions();
217 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://google.com")));
218 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
219 GURL("http://foo.google.com")));
220 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
221
222 extension = LoadManifest("effective_host_permissions", "two_hosts.json");
223 permissions = extension->permissions_data()->active_permissions();
224 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
225 GURL("http://www.google.com")));
226 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
227 GURL("http://www.reddit.com")));
228 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
229
230 extension = LoadManifest("effective_host_permissions",
231 "https_not_considered.json");
232 permissions = extension->permissions_data()->active_permissions();
233 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://google.com")));
234 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("https://google.com")));
235 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
236
237 extension = LoadManifest("effective_host_permissions",
238 "two_content_scripts.json");
239 permissions = extension->permissions_data()->active_permissions();
240 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://google.com")));
241 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
242 GURL("http://www.reddit.com")));
243 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
244 GURL("http://news.ycombinator.com")));
245 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
246
247 extension = LoadManifest("effective_host_permissions", "all_hosts.json");
248 permissions = extension->permissions_data()->active_permissions();
249 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://test/")));
250 EXPECT_FALSE(permissions->HasEffectiveAccessToURL(GURL("https://test/")));
251 EXPECT_TRUE(
252 permissions->HasEffectiveAccessToURL(GURL("http://www.google.com")));
253 EXPECT_TRUE(permissions->HasEffectiveAccessToAllHosts());
254
255 extension = LoadManifest("effective_host_permissions", "all_hosts2.json");
256 permissions = extension->permissions_data()->active_permissions();
257 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://test/")));
258 EXPECT_TRUE(
259 permissions->HasEffectiveAccessToURL(GURL("http://www.google.com")));
260 EXPECT_TRUE(permissions->HasEffectiveAccessToAllHosts());
261
262 extension = LoadManifest("effective_host_permissions", "all_hosts3.json");
263 permissions = extension->permissions_data()->active_permissions();
264 EXPECT_FALSE(permissions->HasEffectiveAccessToURL(GURL("http://test/")));
265 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("https://test/")));
266 EXPECT_TRUE(
267 permissions->HasEffectiveAccessToURL(GURL("http://www.google.com")));
268 EXPECT_TRUE(permissions->HasEffectiveAccessToAllHosts());
269 }
270
271 TEST(PermissionsTest, ExplicitAccessToOrigin) {
272 APIPermissionSet apis;
273 ManifestPermissionSet manifest_permissions;
274 URLPatternSet explicit_hosts;
275 URLPatternSet scriptable_hosts;
276
277 AddPattern(&explicit_hosts, "http://*.google.com/*");
278 // The explicit host paths should get set to /*.
279 AddPattern(&explicit_hosts, "http://www.example.com/a/particular/path/*");
280
281 scoped_refptr<PermissionSet> perm_set = new PermissionSet(
282 apis, manifest_permissions, explicit_hosts, scriptable_hosts);
283 ASSERT_TRUE(perm_set->HasExplicitAccessToOrigin(
284 GURL("http://www.google.com/")));
285 ASSERT_TRUE(perm_set->HasExplicitAccessToOrigin(
286 GURL("http://test.google.com/")));
287 ASSERT_TRUE(perm_set->HasExplicitAccessToOrigin(
288 GURL("http://www.example.com")));
289 ASSERT_TRUE(perm_set->HasEffectiveAccessToURL(
290 GURL("http://www.example.com")));
291 ASSERT_FALSE(perm_set->HasExplicitAccessToOrigin(
292 GURL("http://test.example.com")));
293 }
294
295 TEST(PermissionsTest, CreateUnion) {
296 APIPermission* permission = NULL;
297
298 ManifestPermissionSet manifest_permissions;
299 APIPermissionSet apis1;
300 APIPermissionSet apis2;
301 APIPermissionSet expected_apis;
302
303 URLPatternSet explicit_hosts1;
304 URLPatternSet explicit_hosts2;
305 URLPatternSet expected_explicit_hosts;
306
307 URLPatternSet scriptable_hosts1;
308 URLPatternSet scriptable_hosts2;
309 URLPatternSet expected_scriptable_hosts;
310
311 URLPatternSet effective_hosts;
312
313 scoped_refptr<PermissionSet> set1;
314 scoped_refptr<PermissionSet> set2;
315 scoped_refptr<PermissionSet> union_set;
316
317 const APIPermissionInfo* permission_info =
318 PermissionsInfo::GetInstance()->GetByID(APIPermission::kSocket);
319 permission = permission_info->CreateAPIPermission();
320 {
321 scoped_ptr<base::ListValue> value(new base::ListValue());
322 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
323 value->Append(new base::StringValue("udp-bind::8080"));
324 value->Append(new base::StringValue("udp-send-to::8888"));
325 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
326 }
327
328 // Union with an empty set.
329 apis1.insert(APIPermission::kTab);
330 apis1.insert(APIPermission::kBackground);
331 apis1.insert(permission->Clone());
332 expected_apis.insert(APIPermission::kTab);
333 expected_apis.insert(APIPermission::kBackground);
334 expected_apis.insert(permission);
335
336 AddPattern(&explicit_hosts1, "http://*.google.com/*");
337 AddPattern(&expected_explicit_hosts, "http://*.google.com/*");
338 AddPattern(&effective_hosts, "http://*.google.com/*");
339
340 set1 = new PermissionSet(apis1, manifest_permissions,
341 explicit_hosts1, scriptable_hosts1);
342 set2 = new PermissionSet(apis2, manifest_permissions,
343 explicit_hosts2, scriptable_hosts2);
344 union_set = PermissionSet::CreateUnion(set1.get(), set2.get());
345 EXPECT_TRUE(set1->Contains(*set2.get()));
346 EXPECT_TRUE(set1->Contains(*union_set.get()));
347 EXPECT_FALSE(set2->Contains(*set1.get()));
348 EXPECT_FALSE(set2->Contains(*union_set.get()));
349 EXPECT_TRUE(union_set->Contains(*set1.get()));
350 EXPECT_TRUE(union_set->Contains(*set2.get()));
351
352 EXPECT_FALSE(union_set->HasEffectiveFullAccess());
353 EXPECT_EQ(expected_apis, union_set->apis());
354 EXPECT_EQ(expected_explicit_hosts, union_set->explicit_hosts());
355 EXPECT_EQ(expected_scriptable_hosts, union_set->scriptable_hosts());
356 EXPECT_EQ(expected_explicit_hosts, union_set->effective_hosts());
357
358 // Now use a real second set.
359 apis2.insert(APIPermission::kTab);
360 apis2.insert(APIPermission::kProxy);
361 apis2.insert(APIPermission::kClipboardWrite);
362 apis2.insert(APIPermission::kPlugin);
363
364 permission = permission_info->CreateAPIPermission();
365 {
366 scoped_ptr<base::ListValue> value(new base::ListValue());
367 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
368 value->Append(new base::StringValue("udp-send-to::8899"));
369 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
370 }
371 apis2.insert(permission);
372
373 expected_apis.insert(APIPermission::kTab);
374 expected_apis.insert(APIPermission::kProxy);
375 expected_apis.insert(APIPermission::kClipboardWrite);
376 expected_apis.insert(APIPermission::kPlugin);
377
378 permission = permission_info->CreateAPIPermission();
379 {
380 scoped_ptr<base::ListValue> value(new base::ListValue());
381 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
382 value->Append(new base::StringValue("udp-bind::8080"));
383 value->Append(new base::StringValue("udp-send-to::8888"));
384 value->Append(new base::StringValue("udp-send-to::8899"));
385 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
386 }
387 // Insert a new permission socket permisssion which will replace the old one.
388 expected_apis.insert(permission);
389
390 AddPattern(&explicit_hosts2, "http://*.example.com/*");
391 AddPattern(&scriptable_hosts2, "http://*.google.com/*");
392 AddPattern(&expected_explicit_hosts, "http://*.example.com/*");
393 AddPattern(&expected_scriptable_hosts, "http://*.google.com/*");
394
395 URLPatternSet::CreateUnion(
396 explicit_hosts2, scriptable_hosts2, &effective_hosts);
397
398 set2 = new PermissionSet(apis2, manifest_permissions,
399 explicit_hosts2, scriptable_hosts2);
400 union_set = PermissionSet::CreateUnion(set1.get(), set2.get());
401
402 EXPECT_FALSE(set1->Contains(*set2.get()));
403 EXPECT_FALSE(set1->Contains(*union_set.get()));
404 EXPECT_FALSE(set2->Contains(*set1.get()));
405 EXPECT_FALSE(set2->Contains(*union_set.get()));
406 EXPECT_TRUE(union_set->Contains(*set1.get()));
407 EXPECT_TRUE(union_set->Contains(*set2.get()));
408
409 EXPECT_TRUE(union_set->HasEffectiveFullAccess());
410 EXPECT_TRUE(union_set->HasEffectiveAccessToAllHosts());
411 EXPECT_EQ(expected_apis, union_set->apis());
412 EXPECT_EQ(expected_explicit_hosts, union_set->explicit_hosts());
413 EXPECT_EQ(expected_scriptable_hosts, union_set->scriptable_hosts());
414 EXPECT_EQ(effective_hosts, union_set->effective_hosts());
415 }
416
417 TEST(PermissionsTest, CreateIntersection) {
418 APIPermission* permission = NULL;
419
420 ManifestPermissionSet manifest_permissions;
421 APIPermissionSet apis1;
422 APIPermissionSet apis2;
423 APIPermissionSet expected_apis;
424
425 URLPatternSet explicit_hosts1;
426 URLPatternSet explicit_hosts2;
427 URLPatternSet expected_explicit_hosts;
428
429 URLPatternSet scriptable_hosts1;
430 URLPatternSet scriptable_hosts2;
431 URLPatternSet expected_scriptable_hosts;
432
433 URLPatternSet effective_hosts;
434
435 scoped_refptr<PermissionSet> set1;
436 scoped_refptr<PermissionSet> set2;
437 scoped_refptr<PermissionSet> new_set;
438
439 const APIPermissionInfo* permission_info =
440 PermissionsInfo::GetInstance()->GetByID(APIPermission::kSocket);
441
442 // Intersection with an empty set.
443 apis1.insert(APIPermission::kTab);
444 apis1.insert(APIPermission::kBackground);
445 permission = permission_info->CreateAPIPermission();
446 {
447 scoped_ptr<base::ListValue> value(new base::ListValue());
448 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
449 value->Append(new base::StringValue("udp-bind::8080"));
450 value->Append(new base::StringValue("udp-send-to::8888"));
451 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
452 }
453 apis1.insert(permission);
454
455 AddPattern(&explicit_hosts1, "http://*.google.com/*");
456 AddPattern(&scriptable_hosts1, "http://www.reddit.com/*");
457
458 set1 = new PermissionSet(apis1, manifest_permissions,
459 explicit_hosts1, scriptable_hosts1);
460 set2 = new PermissionSet(apis2, manifest_permissions,
461 explicit_hosts2, scriptable_hosts2);
462 new_set = PermissionSet::CreateIntersection(set1.get(), set2.get());
463 EXPECT_TRUE(set1->Contains(*new_set.get()));
464 EXPECT_TRUE(set2->Contains(*new_set.get()));
465 EXPECT_TRUE(set1->Contains(*set2.get()));
466 EXPECT_FALSE(set2->Contains(*set1.get()));
467 EXPECT_FALSE(new_set->Contains(*set1.get()));
468 EXPECT_TRUE(new_set->Contains(*set2.get()));
469
470 EXPECT_TRUE(new_set->IsEmpty());
471 EXPECT_FALSE(new_set->HasEffectiveFullAccess());
472 EXPECT_EQ(expected_apis, new_set->apis());
473 EXPECT_EQ(expected_explicit_hosts, new_set->explicit_hosts());
474 EXPECT_EQ(expected_scriptable_hosts, new_set->scriptable_hosts());
475 EXPECT_EQ(expected_explicit_hosts, new_set->effective_hosts());
476
477 // Now use a real second set.
478 apis2.insert(APIPermission::kTab);
479 apis2.insert(APIPermission::kProxy);
480 apis2.insert(APIPermission::kClipboardWrite);
481 apis2.insert(APIPermission::kPlugin);
482 permission = permission_info->CreateAPIPermission();
483 {
484 scoped_ptr<base::ListValue> value(new base::ListValue());
485 value->Append(new base::StringValue("udp-bind::8080"));
486 value->Append(new base::StringValue("udp-send-to::8888"));
487 value->Append(new base::StringValue("udp-send-to::8899"));
488 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
489 }
490 apis2.insert(permission);
491
492 expected_apis.insert(APIPermission::kTab);
493 permission = permission_info->CreateAPIPermission();
494 {
495 scoped_ptr<base::ListValue> value(new base::ListValue());
496 value->Append(new base::StringValue("udp-bind::8080"));
497 value->Append(new base::StringValue("udp-send-to::8888"));
498 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
499 }
500 expected_apis.insert(permission);
501
502 AddPattern(&explicit_hosts2, "http://*.example.com/*");
503 AddPattern(&explicit_hosts2, "http://*.google.com/*");
504 AddPattern(&scriptable_hosts2, "http://*.google.com/*");
505 AddPattern(&expected_explicit_hosts, "http://*.google.com/*");
506
507 effective_hosts.ClearPatterns();
508 AddPattern(&effective_hosts, "http://*.google.com/*");
509
510 set2 = new PermissionSet(apis2, manifest_permissions,
511 explicit_hosts2, scriptable_hosts2);
512 new_set = PermissionSet::CreateIntersection(set1.get(), set2.get());
513
514 EXPECT_TRUE(set1->Contains(*new_set.get()));
515 EXPECT_TRUE(set2->Contains(*new_set.get()));
516 EXPECT_FALSE(set1->Contains(*set2.get()));
517 EXPECT_FALSE(set2->Contains(*set1.get()));
518 EXPECT_FALSE(new_set->Contains(*set1.get()));
519 EXPECT_FALSE(new_set->Contains(*set2.get()));
520
521 EXPECT_FALSE(new_set->HasEffectiveFullAccess());
522 EXPECT_FALSE(new_set->HasEffectiveAccessToAllHosts());
523 EXPECT_EQ(expected_apis, new_set->apis());
524 EXPECT_EQ(expected_explicit_hosts, new_set->explicit_hosts());
525 EXPECT_EQ(expected_scriptable_hosts, new_set->scriptable_hosts());
526 EXPECT_EQ(effective_hosts, new_set->effective_hosts());
527 }
528
529 TEST(PermissionsTest, CreateDifference) {
530 APIPermission* permission = NULL;
531
532 ManifestPermissionSet manifest_permissions;
533 APIPermissionSet apis1;
534 APIPermissionSet apis2;
535 APIPermissionSet expected_apis;
536
537 URLPatternSet explicit_hosts1;
538 URLPatternSet explicit_hosts2;
539 URLPatternSet expected_explicit_hosts;
540
541 URLPatternSet scriptable_hosts1;
542 URLPatternSet scriptable_hosts2;
543 URLPatternSet expected_scriptable_hosts;
544
545 URLPatternSet effective_hosts;
546
547 scoped_refptr<PermissionSet> set1;
548 scoped_refptr<PermissionSet> set2;
549 scoped_refptr<PermissionSet> new_set;
550
551 const APIPermissionInfo* permission_info =
552 PermissionsInfo::GetInstance()->GetByID(APIPermission::kSocket);
553
554 // Difference with an empty set.
555 apis1.insert(APIPermission::kTab);
556 apis1.insert(APIPermission::kBackground);
557 permission = permission_info->CreateAPIPermission();
558 {
559 scoped_ptr<base::ListValue> value(new base::ListValue());
560 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
561 value->Append(new base::StringValue("udp-bind::8080"));
562 value->Append(new base::StringValue("udp-send-to::8888"));
563 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
564 }
565 apis1.insert(permission);
566
567 AddPattern(&explicit_hosts1, "http://*.google.com/*");
568 AddPattern(&scriptable_hosts1, "http://www.reddit.com/*");
569
570 set1 = new PermissionSet(apis1, manifest_permissions,
571 explicit_hosts1, scriptable_hosts1);
572 set2 = new PermissionSet(apis2, manifest_permissions,
573 explicit_hosts2, scriptable_hosts2);
574 new_set = PermissionSet::CreateDifference(set1.get(), set2.get());
575 EXPECT_EQ(*set1.get(), *new_set.get());
576
577 // Now use a real second set.
578 apis2.insert(APIPermission::kTab);
579 apis2.insert(APIPermission::kProxy);
580 apis2.insert(APIPermission::kClipboardWrite);
581 apis2.insert(APIPermission::kPlugin);
582 permission = permission_info->CreateAPIPermission();
583 {
584 scoped_ptr<base::ListValue> value(new base::ListValue());
585 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
586 value->Append(new base::StringValue("udp-send-to::8899"));
587 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
588 }
589 apis2.insert(permission);
590
591 expected_apis.insert(APIPermission::kBackground);
592 permission = permission_info->CreateAPIPermission();
593 {
594 scoped_ptr<base::ListValue> value(new base::ListValue());
595 value->Append(new base::StringValue("udp-bind::8080"));
596 value->Append(new base::StringValue("udp-send-to::8888"));
597 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
598 }
599 expected_apis.insert(permission);
600
601 AddPattern(&explicit_hosts2, "http://*.example.com/*");
602 AddPattern(&explicit_hosts2, "http://*.google.com/*");
603 AddPattern(&scriptable_hosts2, "http://*.google.com/*");
604 AddPattern(&expected_scriptable_hosts, "http://www.reddit.com/*");
605
606 effective_hosts.ClearPatterns();
607 AddPattern(&effective_hosts, "http://www.reddit.com/*");
608
609 set2 = new PermissionSet(apis2, manifest_permissions,
610 explicit_hosts2, scriptable_hosts2);
611 new_set = PermissionSet::CreateDifference(set1.get(), set2.get());
612
613 EXPECT_TRUE(set1->Contains(*new_set.get()));
614 EXPECT_FALSE(set2->Contains(*new_set.get()));
615
616 EXPECT_FALSE(new_set->HasEffectiveFullAccess());
617 EXPECT_FALSE(new_set->HasEffectiveAccessToAllHosts());
618 EXPECT_EQ(expected_apis, new_set->apis());
619 EXPECT_EQ(expected_explicit_hosts, new_set->explicit_hosts());
620 EXPECT_EQ(expected_scriptable_hosts, new_set->scriptable_hosts());
621 EXPECT_EQ(effective_hosts, new_set->effective_hosts());
622
623 // |set3| = |set1| - |set2| --> |set3| intersect |set2| == empty_set
624 set1 = PermissionSet::CreateIntersection(new_set.get(), set2.get());
625 EXPECT_TRUE(set1->IsEmpty());
626 }
627
628 TEST(PermissionsTest, IsPrivilegeIncrease) {
629 const struct {
630 const char* base_name;
631 bool expect_increase;
632 } kTests[] = {
633 { "allhosts1", false }, // all -> all
634 { "allhosts2", false }, // all -> one
635 { "allhosts3", true }, // one -> all
636 { "hosts1", false }, // http://a,http://b -> http://a,http://b
637 { "hosts2", true }, // http://a,http://b -> https://a,http://*.b
638 { "hosts3", false }, // http://a,http://b -> http://a
639 { "hosts4", true }, // http://a -> http://a,http://b
640 { "hosts5", false }, // http://a,b,c -> http://a,b,c + https://a,b,c
641 { "hosts6", false }, // http://a.com -> http://a.com + http://a.co.uk
642 { "permissions1", false }, // tabs -> tabs
643 { "permissions2", true }, // tabs -> tabs,bookmarks
644 // TODO(treib): This is wrong, kAllHosts implies kTabs. crbug.com/512344
645 { "permissions3", true }, // http://*/* -> http://*/*,tabs
646 { "permissions5", true }, // bookmarks -> bookmarks,history
647 { "equivalent_warnings", false }, // tabs --> tabs, webNavigation
648 #if !defined(OS_CHROMEOS) // plugins aren't allowed in ChromeOS
649 { "permissions4", false }, // plugin -> plugin,tabs
650 { "plugin1", false }, // plugin -> plugin
651 { "plugin2", false }, // plugin -> none
652 { "plugin3", true }, // none -> plugin
653 #endif
654 { "storage", false }, // none -> storage
655 { "notifications", false }, // none -> notifications
656 { "platformapp1", false }, // host permissions for platform apps
657 { "platformapp2", true }, // API permissions for platform apps
658 { "media_galleries1", true }, // all -> read|all
659 { "media_galleries2", true }, // read|all -> read|delete|copyTo|all
660 { "media_galleries3", true }, // all -> read|delete|all
661 { "media_galleries4", false }, // read|all -> all
662 { "media_galleries5", false }, // read|copyTo|delete|all -> read|all
663 { "media_galleries6", false }, // read|all -> read|all
664 { "media_galleries7", true }, // read|delete|all -> read|copyTo|delete|all
665 { "sockets1", true }, // none -> tcp:*:*
666 { "sockets2", false }, // tcp:*:* -> tcp:*:*
667 { "sockets3", true }, // tcp:a.com:80 -> tcp:*:*
668 };
669
670 for (size_t i = 0; i < arraysize(kTests); ++i) {
671 scoped_refptr<Extension> old_extension(
672 LoadManifest("allow_silent_upgrade",
673 std::string(kTests[i].base_name) + "_old.json"));
674 scoped_refptr<Extension> new_extension(
675 LoadManifest("allow_silent_upgrade",
676 std::string(kTests[i].base_name) + "_new.json"));
677
678 EXPECT_TRUE(new_extension.get()) << kTests[i].base_name << "_new.json";
679 if (!new_extension.get())
680 continue;
681
682 scoped_refptr<const PermissionSet> old_p(
683 old_extension->permissions_data()->active_permissions());
684 scoped_refptr<const PermissionSet> new_p(
685 new_extension->permissions_data()->active_permissions());
686 Manifest::Type extension_type = old_extension->GetType();
687
688 bool increased = PermissionMessageProvider::Get()->IsPrivilegeIncrease(
689 old_p.get(), new_p.get(), extension_type);
690 EXPECT_EQ(kTests[i].expect_increase, increased) << kTests[i].base_name;
691 }
692 }
693
694 TEST(PermissionsTest, PermissionMessages) {
695 // Ensure that all permissions that needs to show install UI actually have
696 // strings associated with them.
697 APIPermissionSet skip;
698
699 // These are considered "nuisance" or "trivial" permissions that don't need
700 // a prompt.
701 skip.insert(APIPermission::kActiveTab);
702 skip.insert(APIPermission::kAlarms);
703 skip.insert(APIPermission::kAlphaEnabled);
704 skip.insert(APIPermission::kAlwaysOnTopWindows);
705 skip.insert(APIPermission::kAppView);
706 skip.insert(APIPermission::kAudio);
707 skip.insert(APIPermission::kAudioModem);
708 skip.insert(APIPermission::kBrowsingData);
709 skip.insert(APIPermission::kCastStreaming);
710 skip.insert(APIPermission::kCommandsAccessibility);
711 skip.insert(APIPermission::kContextMenus);
712 skip.insert(APIPermission::kCryptotokenPrivate);
713 skip.insert(APIPermission::kCopresencePrivate);
714 skip.insert(APIPermission::kDesktopCapturePrivate);
715 skip.insert(APIPermission::kDiagnostics);
716 skip.insert(APIPermission::kDns);
717 skip.insert(APIPermission::kDownloadsShelf);
718 skip.insert(APIPermission::kEmbeddedExtensionOptions);
719 skip.insert(APIPermission::kExtensionView);
720 skip.insert(APIPermission::kFontSettings);
721 skip.insert(APIPermission::kFullscreen);
722 skip.insert(APIPermission::kGcm);
723 skip.insert(APIPermission::kIdle);
724 skip.insert(APIPermission::kImeWindowEnabled);
725 skip.insert(APIPermission::kInlineInstallPrivate);
726 skip.insert(APIPermission::kIdltest);
727 skip.insert(APIPermission::kLogPrivate);
728 skip.insert(APIPermission::kNotifications);
729 skip.insert(APIPermission::kNotificationProvider);
730 skip.insert(APIPermission::kOverrideEscFullscreen);
731 skip.insert(APIPermission::kPointerLock);
732 skip.insert(APIPermission::kPower);
733 skip.insert(APIPermission::kPrinterProvider);
734 skip.insert(APIPermission::kSessions);
735 skip.insert(APIPermission::kStorage);
736 skip.insert(APIPermission::kSystemCpu);
737 skip.insert(APIPermission::kSystemDisplay);
738 skip.insert(APIPermission::kSystemMemory);
739 skip.insert(APIPermission::kSystemNetwork);
740 skip.insert(APIPermission::kSystemStorage);
741 skip.insert(APIPermission::kTts);
742 skip.insert(APIPermission::kUnlimitedStorage);
743 skip.insert(APIPermission::kWebcamPrivate);
744 skip.insert(APIPermission::kWebView);
745 skip.insert(APIPermission::kWindowShape);
746
747 // These permissions are restricted to extensions force-installed by policy
748 // and don't require a prompt, i.e. they're restricted to location 'policy'.
749 skip.insert(APIPermission::kEnterprisePlatformKeys);
750 skip.insert(APIPermission::kEnterpriseDeviceAttributes);
751
752 // TODO(erikkay) add a string for this permission.
753 skip.insert(APIPermission::kBackground);
754
755 skip.insert(APIPermission::kClipboardWrite);
756
757 // The cookie permission does nothing unless you have associated host
758 // permissions.
759 skip.insert(APIPermission::kCookie);
760
761 // These are warned as part of host permission checks.
762 skip.insert(APIPermission::kDataReductionProxy);
763 skip.insert(APIPermission::kDeclarativeContent);
764 skip.insert(APIPermission::kPageCapture);
765 skip.insert(APIPermission::kProxy);
766 skip.insert(APIPermission::kTabCapture);
767 skip.insert(APIPermission::kWebRequest);
768 skip.insert(APIPermission::kWebRequestBlocking);
769
770 // This permission requires explicit user action (context menu handler)
771 // so we won't prompt for it for now.
772 skip.insert(APIPermission::kFileBrowserHandler);
773
774 // These permissions require explicit user action (configuration dialog)
775 // so we don't prompt for them at install time.
776 skip.insert(APIPermission::kMediaGalleries);
777
778 // If you've turned on the experimental command-line flag, we don't need
779 // to warn you further.
780 skip.insert(APIPermission::kExperimental);
781
782 // The Identity API has its own server-driven permission prompts.
783 skip.insert(APIPermission::kIdentity);
784
785 // These are private.
786 skip.insert(APIPermission::kAccessibilityPrivate);
787 skip.insert(APIPermission::kAutoTestPrivate);
788 skip.insert(APIPermission::kBookmarkManagerPrivate);
789 skip.insert(APIPermission::kBrailleDisplayPrivate);
790 skip.insert(APIPermission::kCast);
791 skip.insert(APIPermission::kCastStreaming);
792 skip.insert(APIPermission::kChromeosInfoPrivate);
793 skip.insert(APIPermission::kCloudPrintPrivate);
794 skip.insert(APIPermission::kCommandLinePrivate);
795 skip.insert(APIPermission::kDeveloperPrivate);
796 skip.insert(APIPermission::kDial);
797 skip.insert(APIPermission::kDownloadsInternal);
798 skip.insert(APIPermission::kEasyUnlockPrivate);
799 skip.insert(APIPermission::kEchoPrivate);
800 skip.insert(APIPermission::kEnterprisePlatformKeysPrivate);
801 skip.insert(APIPermission::kFeedbackPrivate);
802 skip.insert(APIPermission::kFileBrowserHandlerInternal);
803 skip.insert(APIPermission::kFileManagerPrivate);
804 skip.insert(APIPermission::kFirstRunPrivate);
805 skip.insert(APIPermission::kGcdPrivate);
806 skip.insert(APIPermission::kHotwordPrivate);
807 skip.insert(APIPermission::kIdentityPrivate);
808 skip.insert(APIPermission::kInputMethodPrivate);
809 skip.insert(APIPermission::kLanguageSettingsPrivate);
810 skip.insert(APIPermission::kMediaPlayerPrivate);
811 skip.insert(APIPermission::kMediaRouterPrivate);
812 skip.insert(APIPermission::kMetricsPrivate);
813 skip.insert(APIPermission::kPreferencesPrivate);
814 skip.insert(APIPermission::kPrincipalsPrivate);
815 skip.insert(APIPermission::kImageWriterPrivate);
816 skip.insert(APIPermission::kReadingListPrivate);
817 skip.insert(APIPermission::kRtcPrivate);
818 skip.insert(APIPermission::kStreamsPrivate);
819 skip.insert(APIPermission::kSystemPrivate);
820 skip.insert(APIPermission::kTabCaptureForTab);
821 skip.insert(APIPermission::kTerminalPrivate);
822 skip.insert(APIPermission::kVirtualKeyboardPrivate);
823 skip.insert(APIPermission::kWallpaperPrivate);
824 skip.insert(APIPermission::kWebrtcAudioPrivate);
825 skip.insert(APIPermission::kWebrtcDesktopCapturePrivate);
826 skip.insert(APIPermission::kWebrtcLoggingPrivate);
827 skip.insert(APIPermission::kWebstorePrivate);
828 skip.insert(APIPermission::kWebstoreWidgetPrivate);
829
830 // Warned as part of host permissions.
831 skip.insert(APIPermission::kDevtools);
832
833 // Platform apps.
834 skip.insert(APIPermission::kBrowser);
835 skip.insert(APIPermission::kHid);
836 skip.insert(APIPermission::kFileSystem);
837 skip.insert(APIPermission::kFileSystemProvider);
838 skip.insert(APIPermission::kFileSystemRequestFileSystem);
839 skip.insert(APIPermission::kFileSystemRetainEntries);
840 skip.insert(APIPermission::kFileSystemWrite);
841 skip.insert(APIPermission::kSocket);
842 skip.insert(APIPermission::kUsb);
843 skip.insert(APIPermission::kLauncherSearchProvider);
844
845 // We already have a generic message for declaring externally_connectable.
846 skip.insert(APIPermission::kExternallyConnectableAllUrls);
847
848 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
849 PermissionsInfo* info = PermissionsInfo::GetInstance();
850 APIPermissionSet permissions = info->GetAll();
851 for (APIPermissionSet::const_iterator i = permissions.begin();
852 i != permissions.end(); ++i) {
853 const APIPermissionInfo* permission_info = i->info();
854 EXPECT_TRUE(permission_info != NULL);
855
856 PermissionIDSet id;
857 id.insert(permission_info->id());
858 bool has_message = !provider->GetPermissionMessages(id).empty();
859 bool should_have_message = !skip.count(i->id());
860 EXPECT_EQ(should_have_message, has_message) << permission_info->name();
861 }
862 }
863
864 TEST(PermissionsTest, FileSystemPermissionMessages) {
865 APIPermissionSet api_permissions;
866 api_permissions.insert(APIPermission::kFileSystemWrite);
867 api_permissions.insert(APIPermission::kFileSystemDirectory);
868 scoped_refptr<PermissionSet> permissions(
869 new PermissionSet(api_permissions, ManifestPermissionSet(),
870 URLPatternSet(), URLPatternSet()));
871 EXPECT_TRUE(PermissionSetProducesMessage(
872 permissions.get(), Manifest::TYPE_PLATFORM_APP,
873 MakePermissionIDSet(api_permissions)));
874 }
875
876 // The file system permissions have a special-case hack to show a warning for
877 // write and directory at the same time.
878 // TODO(sammc): Remove this. See http://crbug.com/284849.
879 TEST(PermissionsTest, FileSystemImplicitPermissions) {
880 APIPermissionSet apis;
881 apis.insert(APIPermission::kFileSystemWrite);
882 apis.AddImpliedPermissions();
883
884 EXPECT_EQ(apis.find(APIPermission::kFileSystemWrite)->id(),
885 APIPermission::kFileSystemWrite);
886 EXPECT_EQ(apis.size(), 1u);
887
888 apis.erase(APIPermission::kFileSystemWrite);
889 apis.insert(APIPermission::kFileSystemDirectory);
890 apis.AddImpliedPermissions();
891
892 EXPECT_EQ(apis.find(APIPermission::kFileSystemDirectory)->id(),
893 APIPermission::kFileSystemDirectory);
894 EXPECT_EQ(apis.size(), 1u);
895
896 apis.insert(APIPermission::kFileSystemWrite);
897 apis.AddImpliedPermissions();
898
899 EXPECT_EQ(apis.find(APIPermission::kFileSystemWrite)->id(),
900 APIPermission::kFileSystemWrite);
901 EXPECT_EQ(apis.find(APIPermission::kFileSystemDirectory)->id(),
902 APIPermission::kFileSystemDirectory);
903 EXPECT_EQ(apis.find(APIPermission::kFileSystemWriteDirectory)->id(),
904 APIPermission::kFileSystemWriteDirectory);
905 EXPECT_EQ(apis.size(), 3u);
906 }
907
908 TEST(PermissionsTest, HiddenFileSystemPermissionMessages) {
909 APIPermissionSet api_permissions;
910 api_permissions.insert(APIPermission::kFileSystemWrite);
911 api_permissions.insert(APIPermission::kFileSystemDirectory);
912 api_permissions.insert(APIPermission::kFileSystemWriteDirectory);
913 scoped_refptr<PermissionSet> permissions(
914 new PermissionSet(api_permissions, ManifestPermissionSet(),
915 URLPatternSet(), URLPatternSet()));
916 EXPECT_TRUE(PermissionSetProducesMessage(
917 permissions.get(), Manifest::TYPE_PLATFORM_APP,
918 MakePermissionIDSet(api_permissions)));
919 }
920
921 TEST(PermissionsTest, SuppressedPermissionMessages) {
922 {
923 // Tabs warning suppresses favicon warning.
924 APIPermissionSet api_permissions;
925 api_permissions.insert(APIPermission::kTab);
926 URLPatternSet hosts;
927 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI,
928 "chrome://favicon/"));
929 scoped_refptr<PermissionSet> permissions(
930 new PermissionSet(api_permissions, ManifestPermissionSet(),
931 hosts, URLPatternSet()));
932 EXPECT_TRUE(PermissionSetProducesMessage(
933 permissions.get(), Manifest::TYPE_EXTENSION,
934 MakePermissionIDSet(APIPermission::kTab, APIPermission::kFavicon)));
935 }
936 {
937 // History warning suppresses favicon warning.
938 APIPermissionSet api_permissions;
939 api_permissions.insert(APIPermission::kHistory);
940 URLPatternSet hosts;
941 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI,
942 "chrome://favicon/"));
943 scoped_refptr<PermissionSet> permissions(
944 new PermissionSet(api_permissions, ManifestPermissionSet(),
945 hosts, URLPatternSet()));
946 EXPECT_TRUE(PermissionSetProducesMessage(
947 permissions.get(), Manifest::TYPE_EXTENSION,
948 MakePermissionIDSet(APIPermission::kHistory, APIPermission::kFavicon)));
949 }
950 {
951 // All sites warning suppresses tabs warning.
952 APIPermissionSet api_permissions;
953 api_permissions.insert(APIPermission::kTab);
954 URLPatternSet hosts;
955 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI, "*://*/*"));
956 scoped_refptr<PermissionSet> permissions(new PermissionSet(
957 api_permissions, ManifestPermissionSet(), hosts, URLPatternSet()));
958 EXPECT_TRUE(PermissionSetProducesMessage(
959 permissions.get(), Manifest::TYPE_EXTENSION,
960 MakePermissionIDSet(APIPermission::kHostsAll, APIPermission::kTab)));
961 }
962 {
963 // All sites warning suppresses topSites warning.
964 APIPermissionSet api_permissions;
965 api_permissions.insert(APIPermission::kTopSites);
966 URLPatternSet hosts;
967 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI, "*://*/*"));
968 scoped_refptr<PermissionSet> permissions(new PermissionSet(
969 api_permissions, ManifestPermissionSet(), hosts, URLPatternSet()));
970 EXPECT_TRUE(PermissionSetProducesMessage(
971 permissions.get(), Manifest::TYPE_EXTENSION,
972 MakePermissionIDSet(APIPermission::kHostsAll,
973 APIPermission::kTopSites)));
974 }
975 {
976 // All sites warning suppresses declarativeWebRequest warning.
977 APIPermissionSet api_permissions;
978 api_permissions.insert(APIPermission::kDeclarativeWebRequest);
979 URLPatternSet hosts;
980 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI, "*://*/*"));
981 scoped_refptr<PermissionSet> permissions(new PermissionSet(
982 api_permissions, ManifestPermissionSet(), hosts, URLPatternSet()));
983 EXPECT_TRUE(PermissionSetProducesMessage(
984 permissions.get(), Manifest::TYPE_EXTENSION,
985 MakePermissionIDSet(APIPermission::kHostsAll)));
986 }
987 {
988 // BrowsingHistory warning suppresses all history read/write warnings.
989 APIPermissionSet api_permissions;
990 api_permissions.insert(APIPermission::kHistory);
991 api_permissions.insert(APIPermission::kTab);
992 api_permissions.insert(APIPermission::kTopSites);
993 api_permissions.insert(APIPermission::kProcesses);
994 api_permissions.insert(APIPermission::kWebNavigation);
995 scoped_refptr<PermissionSet> permissions(
996 new PermissionSet(api_permissions, ManifestPermissionSet(),
997 URLPatternSet(), URLPatternSet()));
998 EXPECT_TRUE(PermissionSetProducesMessage(
999 permissions.get(), Manifest::TYPE_EXTENSION,
1000 MakePermissionIDSet(api_permissions)));
1001 }
1002 {
1003 // Tabs warning suppresses all read-only history warnings.
1004 APIPermissionSet api_permissions;
1005 api_permissions.insert(APIPermission::kTab);
1006 api_permissions.insert(APIPermission::kTopSites);
1007 api_permissions.insert(APIPermission::kProcesses);
1008 api_permissions.insert(APIPermission::kWebNavigation);
1009 scoped_refptr<PermissionSet> permissions(
1010 new PermissionSet(api_permissions, ManifestPermissionSet(),
1011 URLPatternSet(), URLPatternSet()));
1012 EXPECT_TRUE(PermissionSetProducesMessage(
1013 permissions.get(), Manifest::TYPE_EXTENSION,
1014 MakePermissionIDSet(api_permissions)));
1015 }
1016 }
1017
1018 TEST(PermissionsTest, AccessToDevicesMessages) {
1019 {
1020 APIPermissionSet api_permissions;
1021 api_permissions.insert(APIPermission::kSerial);
1022 scoped_refptr<PermissionSet> permissions(
1023 new PermissionSet(api_permissions,
1024 ManifestPermissionSet(),
1025 URLPatternSet(),
1026 URLPatternSet()));
1027 VerifyOnePermissionMessage(
1028 permissions.get(), Manifest::TYPE_EXTENSION,
1029 l10n_util::GetStringUTF16(IDS_EXTENSION_PROMPT_WARNING_SERIAL));
1030 }
1031 {
1032 // Testing that multiple permissions will show the one message.
1033 APIPermissionSet api_permissions;
1034 api_permissions.insert(APIPermission::kSerial);
1035 api_permissions.insert(APIPermission::kSerial);
1036 scoped_refptr<PermissionSet> permissions(
1037 new PermissionSet(api_permissions,
1038 ManifestPermissionSet(),
1039 URLPatternSet(),
1040 URLPatternSet()));
1041 VerifyOnePermissionMessage(
1042 permissions.get(), Manifest::TYPE_EXTENSION,
1043 l10n_util::GetStringUTF16(IDS_EXTENSION_PROMPT_WARNING_SERIAL));
1044 }
1045 {
1046 scoped_refptr<Extension> extension =
1047 LoadManifest("permissions", "access_to_devices_bluetooth.json");
1048 PermissionSet* set = const_cast<PermissionSet*>(
1049 extension->permissions_data()->active_permissions().get());
1050 VerifyOnePermissionMessage(
1051 set, extension->GetType(),
1052 l10n_util::GetStringUTF16(IDS_EXTENSION_PROMPT_WARNING_BLUETOOTH));
1053
1054 // Test Bluetooth and Serial
1055 set->apis_.insert(APIPermission::kSerial);
1056 VerifyOnePermissionMessage(
1057 set, extension->GetType(),
1058 l10n_util::GetStringUTF16(
1059 IDS_EXTENSION_PROMPT_WARNING_BLUETOOTH_SERIAL));
1060 }
1061 }
1062
1063 TEST(PermissionsTest, MergedFileSystemPermissionComparison) {
1064 APIPermissionSet write_api_permissions;
1065 write_api_permissions.insert(APIPermission::kFileSystemWrite);
1066 scoped_refptr<PermissionSet> write_permissions(
1067 new PermissionSet(write_api_permissions, ManifestPermissionSet(),
1068 URLPatternSet(), URLPatternSet()));
1069
1070 APIPermissionSet directory_api_permissions;
1071 directory_api_permissions.insert(APIPermission::kFileSystemDirectory);
1072 scoped_refptr<PermissionSet> directory_permissions(
1073 new PermissionSet(directory_api_permissions, ManifestPermissionSet(),
1074 URLPatternSet(), URLPatternSet()));
1075
1076 APIPermissionSet write_directory_api_permissions;
1077 write_directory_api_permissions.insert(
1078 APIPermission::kFileSystemWriteDirectory);
1079 scoped_refptr<PermissionSet> write_directory_permissions(
1080 new PermissionSet(write_directory_api_permissions,
1081 ManifestPermissionSet(),
1082 URLPatternSet(),
1083 URLPatternSet()));
1084
1085 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
1086 EXPECT_FALSE(provider->IsPrivilegeIncrease(write_directory_permissions.get(),
1087 write_permissions.get(),
1088 Manifest::TYPE_PLATFORM_APP));
1089 EXPECT_FALSE(provider->IsPrivilegeIncrease(write_directory_permissions.get(),
1090 directory_permissions.get(),
1091 Manifest::TYPE_PLATFORM_APP));
1092 EXPECT_TRUE(provider->IsPrivilegeIncrease(write_permissions.get(),
1093 directory_permissions.get(),
1094 Manifest::TYPE_PLATFORM_APP));
1095 EXPECT_TRUE(provider->IsPrivilegeIncrease(write_permissions.get(),
1096 write_directory_permissions.get(),
1097 Manifest::TYPE_PLATFORM_APP));
1098 EXPECT_FALSE(provider->IsPrivilegeIncrease(directory_permissions.get(),
1099 write_permissions.get(),
1100 Manifest::TYPE_PLATFORM_APP));
1101 EXPECT_TRUE(provider->IsPrivilegeIncrease(directory_permissions.get(),
1102 write_directory_permissions.get(),
1103 Manifest::TYPE_PLATFORM_APP));
1104 }
1105
1106 TEST(PermissionsTest, GetWarningMessages_ManyHosts) {
1107 scoped_refptr<Extension> extension;
1108 extension = LoadManifest("permissions", "many-hosts.json");
1109 EXPECT_TRUE(VerifyOnePermissionMessage(
1110 extension->permissions_data(),
1111 "Read and change your data on encrypted.google.com and www.google.com"));
1112 }
1113
1114 TEST(PermissionsTest, GetWarningMessages_Plugins) {
1115 scoped_refptr<Extension> extension;
1116 extension = LoadManifest("permissions", "plugins.json");
1117 // We don't parse the plugins key on Chrome OS, so it should not ask for any
1118 // permissions.
1119 #if defined(OS_CHROMEOS)
1120 EXPECT_TRUE(VerifyNoPermissionMessages(extension->permissions_data()));
1121 #else
1122 EXPECT_TRUE(VerifyOnePermissionMessage(
1123 extension->permissions_data(),
1124 "Read and change all your data on your computer and the websites you "
1125 "visit"));
1126 #endif
1127 }
1128
1129 TEST(PermissionsTest, GetWarningMessages_AudioVideo) {
1130 const std::string kAudio("Use your microphone");
1131 const std::string kVideo("Use your camera");
1132 const std::string kBoth("Use your microphone and camera");
1133
1134 // Both audio and video present.
1135 scoped_refptr<Extension> extension =
1136 LoadManifest("permissions", "audio-video.json");
1137 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
1138 PermissionSet* set = const_cast<PermissionSet*>(
1139 extension->permissions_data()->active_permissions().get());
1140 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kAudio));
1141 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kVideo));
1142 EXPECT_TRUE(VerifyHasPermissionMessage(set, extension->GetType(), kBoth));
1143 CoalescedPermissionMessages warnings = provider->GetPermissionMessages(
1144 provider->GetAllPermissionIDs(set, extension->GetType()));
1145 size_t combined_index = IndexOf(warnings, kBoth);
1146 size_t combined_size = warnings.size();
1147
1148 // Just audio present.
1149 set->apis_.erase(APIPermission::kVideoCapture);
1150 EXPECT_TRUE(VerifyHasPermissionMessage(set, extension->GetType(), kAudio));
1151 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kVideo));
1152 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kBoth));
1153 CoalescedPermissionMessages warnings2 = provider->GetPermissionMessages(
1154 provider->GetAllPermissionIDs(set, extension->GetType()));
1155 EXPECT_EQ(combined_size, warnings2.size());
1156 EXPECT_EQ(combined_index, IndexOf(warnings2, kAudio));
1157
1158 // Just video present.
1159 set->apis_.erase(APIPermission::kAudioCapture);
1160 set->apis_.insert(APIPermission::kVideoCapture);
1161 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kAudio));
1162 EXPECT_TRUE(VerifyHasPermissionMessage(set, extension->GetType(), kVideo));
1163 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kBoth));
1164 CoalescedPermissionMessages warnings3 = provider->GetPermissionMessages(
1165 provider->GetAllPermissionIDs(set, extension->GetType()));
1166 EXPECT_EQ(combined_size, warnings3.size());
1167 EXPECT_EQ(combined_index, IndexOf(warnings3, kVideo));
1168 }
1169
1170 TEST(PermissionsTest, GetWarningMessages_CombinedSessions) {
1171 {
1172 APIPermissionSet api_permissions;
1173 api_permissions.insert(APIPermission::kTab);
1174 api_permissions.insert(APIPermission::kTopSites);
1175 api_permissions.insert(APIPermission::kProcesses);
1176 api_permissions.insert(APIPermission::kWebNavigation);
1177 api_permissions.insert(APIPermission::kSessions);
1178 scoped_refptr<PermissionSet> permissions(
1179 new PermissionSet(api_permissions, ManifestPermissionSet(),
1180 URLPatternSet(), URLPatternSet()));
1181 EXPECT_TRUE(VerifyOnePermissionMessage(
1182 permissions.get(), Manifest::TYPE_EXTENSION,
1183 l10n_util::GetStringUTF16(
1184 IDS_EXTENSION_PROMPT_WARNING_HISTORY_READ_AND_SESSIONS)));
1185 }
1186 {
1187 APIPermissionSet api_permissions;
1188 api_permissions.insert(APIPermission::kHistory);
1189 api_permissions.insert(APIPermission::kTab);
1190 api_permissions.insert(APIPermission::kTopSites);
1191 api_permissions.insert(APIPermission::kProcesses);
1192 api_permissions.insert(APIPermission::kWebNavigation);
1193 api_permissions.insert(APIPermission::kSessions);
1194 scoped_refptr<PermissionSet> permissions(
1195 new PermissionSet(api_permissions, ManifestPermissionSet(),
1196 URLPatternSet(), URLPatternSet()));
1197 EXPECT_TRUE(VerifyOnePermissionMessage(
1198 permissions.get(), Manifest::TYPE_EXTENSION,
1199 l10n_util::GetStringUTF16(
1200 IDS_EXTENSION_PROMPT_WARNING_HISTORY_WRITE_AND_SESSIONS)));
1201 }
1202 }
1203
1204 TEST(PermissionsTest, GetWarningMessages_DeclarativeWebRequest) {
1205 // Test that if the declarativeWebRequest permission is present
1206 // in combination with all hosts permission, then only the warning
1207 // for host permissions is shown, because that covers the use of
1208 // declarativeWebRequest.
1209
1210 // Until Declarative Web Request is in stable, let's make sure it is enabled
1211 // on the current channel.
1212 ScopedCurrentChannel sc(version_info::Channel::CANARY);
1213
1214 // First verify that declarativeWebRequest produces a message when host
1215 // permissions do not cover all hosts.
1216 scoped_refptr<Extension> extension =
1217 LoadManifest("permissions", "web_request_not_all_host_permissions.json");
1218 const PermissionSet* set =
1219 extension->permissions_data()->active_permissions().get();
1220 EXPECT_TRUE(VerifyHasPermissionMessage(set, extension->GetType(),
1221 "Block parts of web pages"));
1222 EXPECT_FALSE(VerifyHasPermissionMessage(
1223 set, extension->GetType(),
1224 "Read and change all your data on the websites you visit"));
1225
1226 // Now verify that declarativeWebRequest does not produce a message when host
1227 // permissions do cover all hosts.
1228 extension =
1229 LoadManifest("permissions", "web_request_all_host_permissions.json");
1230 set = extension->permissions_data()->active_permissions().get();
1231 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(),
1232 "Block parts of web pages"));
1233 EXPECT_TRUE(VerifyHasPermissionMessage(
1234 set, extension->GetType(),
1235 "Read and change all your data on the websites you visit"));
1236 }
1237
1238 TEST(PermissionsTest, GetWarningMessages_Serial) {
1239 scoped_refptr<Extension> extension =
1240 LoadManifest("permissions", "serial.json");
1241
1242 EXPECT_TRUE(extension->is_platform_app());
1243 EXPECT_TRUE(
1244 extension->permissions_data()->HasAPIPermission(APIPermission::kSerial));
1245 EXPECT_TRUE(VerifyOnePermissionMessage(extension->permissions_data(),
1246 "Access your serial devices"));
1247 }
1248
1249 TEST(PermissionsTest, GetWarningMessages_Socket_AnyHost) {
1250 ScopedCurrentChannel channel(version_info::Channel::DEV);
1251
1252 scoped_refptr<Extension> extension =
1253 LoadManifest("permissions", "socket_any_host.json");
1254 EXPECT_TRUE(extension->is_platform_app());
1255 EXPECT_TRUE(
1256 extension->permissions_data()->HasAPIPermission(APIPermission::kSocket));
1257 EXPECT_TRUE(VerifyOnePermissionMessage(
1258 extension->permissions_data(),
1259 "Exchange data with any device on the local network or internet"));
1260 }
1261
1262 TEST(PermissionsTest, GetWarningMessages_Socket_OneDomainTwoHostnames) {
1263 ScopedCurrentChannel channel(version_info::Channel::DEV);
1264
1265 scoped_refptr<Extension> extension =
1266 LoadManifest("permissions", "socket_one_domain_two_hostnames.json");
1267 EXPECT_TRUE(extension->is_platform_app());
1268 EXPECT_TRUE(
1269 extension->permissions_data()->HasAPIPermission(APIPermission::kSocket));
1270
1271 // Verify the warnings, including support for unicode characters, the fact
1272 // that domain host warnings come before specific host warnings, and the fact
1273 // that domains and hostnames are in alphabetical order regardless of the
1274 // order in the manifest file.
1275 EXPECT_TRUE(VerifyTwoPermissionMessages(
1276 extension->permissions_data(),
1277 "Exchange data with any device in the domain example.org",
1278 "Exchange data with the devices named: "
1279 "b\xC3\xA5r.example.com foo.example.com",
1280 // "\xC3\xA5" = UTF-8 for lowercase A with ring above
1281 true));
1282 }
1283
1284 TEST(PermissionsTest, GetWarningMessages_Socket_TwoDomainsOneHostname) {
1285 ScopedCurrentChannel channel(version_info::Channel::DEV);
1286
1287 scoped_refptr<Extension> extension =
1288 LoadManifest("permissions", "socket_two_domains_one_hostname.json");
1289 EXPECT_TRUE(extension->is_platform_app());
1290 EXPECT_TRUE(
1291 extension->permissions_data()->HasAPIPermission(APIPermission::kSocket));
1292
1293 // Verify the warnings, including the fact that domain host warnings come
1294 // before specific host warnings and the fact that domains and hostnames are
1295 // in alphabetical order regardless of the order in the manifest file.
1296 EXPECT_TRUE(VerifyTwoPermissionMessages(
1297 extension->permissions_data(),
1298 "Exchange data with any device in the domains: "
1299 "example.com foo.example.org",
1300 "Exchange data with the device named bar.example.org", true));
1301 }
1302
1303 // Since platform apps always use isolated storage, they can't (silently)
1304 // access user data on other domains, so there's no need to prompt about host
1305 // permissions. See crbug.com/255229.
1306 TEST(PermissionsTest, GetWarningMessages_PlatformAppHosts) {
1307 scoped_refptr<Extension> extension;
1308
1309 extension = LoadManifest("permissions", "platform_app_hosts.json");
1310 EXPECT_TRUE(extension->is_platform_app());
1311 EXPECT_TRUE(VerifyNoPermissionMessages(extension->permissions_data()));
1312
1313 extension = LoadManifest("permissions", "platform_app_all_urls.json");
1314 EXPECT_TRUE(extension->is_platform_app());
1315 EXPECT_TRUE(VerifyNoPermissionMessages(extension->permissions_data()));
1316 }
1317
1318 testing::AssertionResult ShowsAllHostsWarning(const std::string& pattern) {
1319 scoped_refptr<Extension> extension =
1320 ExtensionBuilder()
1321 .SetManifest(DictionaryBuilder()
1322 .Set("name", "TLDWildCardTest")
1323 .Set("version", "0.1.0")
1324 .Set("permissions", ListBuilder().Append(pattern))
1325 .Build())
1326 .Build();
1327
1328 return VerifyHasPermissionMessage(
1329 extension->permissions_data(),
1330 l10n_util::GetStringUTF16(IDS_EXTENSION_PROMPT_WARNING_ALL_HOSTS));
1331 }
1332
1333 TEST(PermissionsTest, GetWarningMessages_TLDWildcardTreatedAsAllHosts) {
1334 EXPECT_TRUE(ShowsAllHostsWarning("http://*.com/*")); // most popular.
1335 EXPECT_TRUE(ShowsAllHostsWarning("http://*.org/*")); // sanity check.
1336 EXPECT_TRUE(ShowsAllHostsWarning("http://*.co.uk/*")); // eTLD.
1337 EXPECT_TRUE(ShowsAllHostsWarning("http://*.de/*")); // foreign country tld.
1338
1339 // We should still show the normal permissions (i.e., "Can access your data on
1340 // *.rdcronin.com") for things that are not TLDs.
1341 EXPECT_FALSE(ShowsAllHostsWarning("http://*.rdcronin.com/*"));
1342
1343 // Pseudo-TLDs, like appspot.com, should not show all hosts.
1344 EXPECT_FALSE(ShowsAllHostsWarning("http://*.appspot.com/*"));
1345
1346 // Non-TLDs should be likewise exempt.
1347 EXPECT_FALSE(ShowsAllHostsWarning("http://*.notarealtld/*"));
1348
1349 // Our internal checks use "foo", so let's make sure we're not messing
1350 // something up with it.
1351 EXPECT_FALSE(ShowsAllHostsWarning("http://*.foo.com"));
1352 EXPECT_FALSE(ShowsAllHostsWarning("http://foo.com"));
1353 // This will fail if foo becomes a recognized TLD. Which could be soon.
1354 // Update as needed.
1355 EXPECT_FALSE(ShowsAllHostsWarning("http://*.foo"));
1356 }
1357
1358 TEST(PermissionsTest, GetDistinctHosts) {
1359 URLPatternSet explicit_hosts;
1360 std::set<std::string> expected;
1361 expected.insert("www.foo.com");
1362 expected.insert("www.bar.com");
1363 expected.insert("www.baz.com");
1364
1365 {
1366 SCOPED_TRACE("no dupes");
1367
1368 // Simple list with no dupes.
1369 explicit_hosts.AddPattern(
1370 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com/path"));
1371 explicit_hosts.AddPattern(
1372 URLPattern(URLPattern::SCHEME_HTTP, "http://www.bar.com/path"));
1373 explicit_hosts.AddPattern(
1374 URLPattern(URLPattern::SCHEME_HTTP, "http://www.baz.com/path"));
1375 EXPECT_EQ(expected,
1376 permission_message_util::GetDistinctHosts(
1377 explicit_hosts, true, true));
1378 }
1379
1380 {
1381 SCOPED_TRACE("two dupes");
1382
1383 // Add some dupes.
1384 explicit_hosts.AddPattern(
1385 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com/path"));
1386 explicit_hosts.AddPattern(
1387 URLPattern(URLPattern::SCHEME_HTTP, "http://www.baz.com/path"));
1388 EXPECT_EQ(expected,
1389 permission_message_util::GetDistinctHosts(
1390 explicit_hosts, true, true));
1391 }
1392
1393 {
1394 SCOPED_TRACE("schemes differ");
1395
1396 // Add a pattern that differs only by scheme. This should be filtered out.
1397 explicit_hosts.AddPattern(
1398 URLPattern(URLPattern::SCHEME_HTTPS, "https://www.bar.com/path"));
1399 EXPECT_EQ(expected,
1400 permission_message_util::GetDistinctHosts(
1401 explicit_hosts, true, true));
1402 }
1403
1404 {
1405 SCOPED_TRACE("paths differ");
1406
1407 // Add some dupes by path.
1408 explicit_hosts.AddPattern(
1409 URLPattern(URLPattern::SCHEME_HTTP, "http://www.bar.com/pathypath"));
1410 EXPECT_EQ(expected,
1411 permission_message_util::GetDistinctHosts(
1412 explicit_hosts, true, true));
1413 }
1414
1415 {
1416 SCOPED_TRACE("subdomains differ");
1417
1418 // We don't do anything special for subdomains.
1419 explicit_hosts.AddPattern(
1420 URLPattern(URLPattern::SCHEME_HTTP, "http://monkey.www.bar.com/path"));
1421 explicit_hosts.AddPattern(
1422 URLPattern(URLPattern::SCHEME_HTTP, "http://bar.com/path"));
1423
1424 expected.insert("monkey.www.bar.com");
1425 expected.insert("bar.com");
1426
1427 EXPECT_EQ(expected,
1428 permission_message_util::GetDistinctHosts(
1429 explicit_hosts, true, true));
1430 }
1431
1432 {
1433 SCOPED_TRACE("RCDs differ");
1434
1435 // Now test for RCD uniquing.
1436 explicit_hosts.AddPattern(
1437 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com/path"));
1438 explicit_hosts.AddPattern(
1439 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1440 explicit_hosts.AddPattern(
1441 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.de/path"));
1442 explicit_hosts.AddPattern(
1443 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca.us/path"));
1444 explicit_hosts.AddPattern(
1445 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.net/path"));
1446 explicit_hosts.AddPattern(
1447 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com.my/path"));
1448
1449 // This is an unknown RCD, which shouldn't be uniqued out.
1450 explicit_hosts.AddPattern(
1451 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.xyzzy/path"));
1452 // But it should only occur once.
1453 explicit_hosts.AddPattern(
1454 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.xyzzy/path"));
1455
1456 expected.insert("www.foo.xyzzy");
1457
1458 EXPECT_EQ(expected,
1459 permission_message_util::GetDistinctHosts(
1460 explicit_hosts, true, true));
1461 }
1462
1463 {
1464 SCOPED_TRACE("wildcards");
1465
1466 explicit_hosts.AddPattern(
1467 URLPattern(URLPattern::SCHEME_HTTP, "http://*.google.com/*"));
1468
1469 expected.insert("*.google.com");
1470
1471 EXPECT_EQ(expected,
1472 permission_message_util::GetDistinctHosts(
1473 explicit_hosts, true, true));
1474 }
1475
1476 {
1477 SCOPED_TRACE("scriptable hosts");
1478
1479 APIPermissionSet empty_perms;
1480 explicit_hosts.ClearPatterns();
1481 URLPatternSet scriptable_hosts;
1482 expected.clear();
1483
1484 explicit_hosts.AddPattern(
1485 URLPattern(URLPattern::SCHEME_HTTP, "http://*.google.com/*"));
1486 scriptable_hosts.AddPattern(
1487 URLPattern(URLPattern::SCHEME_HTTP, "http://*.example.com/*"));
1488
1489 expected.insert("*.google.com");
1490 expected.insert("*.example.com");
1491
1492 scoped_refptr<PermissionSet> perm_set(new PermissionSet(
1493 empty_perms, ManifestPermissionSet(),
1494 explicit_hosts, scriptable_hosts));
1495 EXPECT_EQ(expected,
1496 permission_message_util::GetDistinctHosts(
1497 perm_set->effective_hosts(), true, true));
1498 }
1499
1500 {
1501 // We don't display warnings for file URLs because they are off by default.
1502 SCOPED_TRACE("file urls");
1503
1504 explicit_hosts.ClearPatterns();
1505 expected.clear();
1506
1507 explicit_hosts.AddPattern(
1508 URLPattern(URLPattern::SCHEME_FILE, "file:///*"));
1509
1510 EXPECT_EQ(expected,
1511 permission_message_util::GetDistinctHosts(
1512 explicit_hosts, true, true));
1513 }
1514 }
1515
1516 TEST(PermissionsTest, GetDistinctHosts_ComIsBestRcd) {
1517 URLPatternSet explicit_hosts;
1518 explicit_hosts.AddPattern(
1519 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca/path"));
1520 explicit_hosts.AddPattern(
1521 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.org/path"));
1522 explicit_hosts.AddPattern(
1523 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1524 explicit_hosts.AddPattern(
1525 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.net/path"));
1526 explicit_hosts.AddPattern(
1527 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.jp/path"));
1528 explicit_hosts.AddPattern(
1529 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com/path"));
1530
1531 std::set<std::string> expected;
1532 expected.insert("www.foo.com");
1533 EXPECT_EQ(expected,
1534 permission_message_util::GetDistinctHosts(
1535 explicit_hosts, true, true));
1536 }
1537
1538 TEST(PermissionsTest, GetDistinctHosts_NetIs2ndBestRcd) {
1539 URLPatternSet explicit_hosts;
1540 explicit_hosts.AddPattern(
1541 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca/path"));
1542 explicit_hosts.AddPattern(
1543 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.org/path"));
1544 explicit_hosts.AddPattern(
1545 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1546 explicit_hosts.AddPattern(
1547 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.net/path"));
1548 explicit_hosts.AddPattern(
1549 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.jp/path"));
1550 // No http://www.foo.com/path
1551
1552 std::set<std::string> expected;
1553 expected.insert("www.foo.net");
1554 EXPECT_EQ(expected,
1555 permission_message_util::GetDistinctHosts(
1556 explicit_hosts, true, true));
1557 }
1558
1559 TEST(PermissionsTest, GetDistinctHosts_OrgIs3rdBestRcd) {
1560 URLPatternSet explicit_hosts;
1561 explicit_hosts.AddPattern(
1562 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca/path"));
1563 explicit_hosts.AddPattern(
1564 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.org/path"));
1565 explicit_hosts.AddPattern(
1566 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1567 // No http://www.foo.net/path
1568 explicit_hosts.AddPattern(
1569 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.jp/path"));
1570 // No http://www.foo.com/path
1571
1572 std::set<std::string> expected;
1573 expected.insert("www.foo.org");
1574 EXPECT_EQ(expected,
1575 permission_message_util::GetDistinctHosts(
1576 explicit_hosts, true, true));
1577 }
1578
1579 TEST(PermissionsTest, GetDistinctHosts_FirstInListIs4thBestRcd) {
1580 URLPatternSet explicit_hosts;
1581 explicit_hosts.AddPattern(
1582 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca/path"));
1583 // No http://www.foo.org/path
1584 explicit_hosts.AddPattern(
1585 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1586 // No http://www.foo.net/path
1587 explicit_hosts.AddPattern(
1588 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.jp/path"));
1589 // No http://www.foo.com/path
1590
1591 std::set<std::string> expected;
1592 expected.insert("www.foo.ca");
1593 EXPECT_EQ(expected,
1594 permission_message_util::GetDistinctHosts(
1595 explicit_hosts, true, true));
1596 }
1597
1598 TEST(PermissionsTest, IsHostPrivilegeIncrease) {
1599 Manifest::Type type = Manifest::TYPE_EXTENSION;
1600 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
1601 ManifestPermissionSet empty_manifest_permissions;
1602 URLPatternSet elist1;
1603 URLPatternSet elist2;
1604 URLPatternSet slist1;
1605 URLPatternSet slist2;
1606 scoped_refptr<PermissionSet> set1;
1607 scoped_refptr<PermissionSet> set2;
1608 APIPermissionSet empty_perms;
1609 elist1.AddPattern(
1610 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com.hk/path"));
1611 elist1.AddPattern(
1612 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/path"));
1613
1614 // Test that the host order does not matter.
1615 elist2.AddPattern(
1616 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/path"));
1617 elist2.AddPattern(
1618 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com.hk/path"));
1619
1620 set1 = new PermissionSet(empty_perms, empty_manifest_permissions,
1621 elist1, slist1);
1622 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1623 elist2, slist2);
1624
1625 EXPECT_FALSE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1626 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1627
1628 // Test that paths are ignored.
1629 elist2.ClearPatterns();
1630 elist2.AddPattern(
1631 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/*"));
1632 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1633 elist2, slist2);
1634 EXPECT_FALSE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1635 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1636
1637 // Test that RCDs are ignored.
1638 elist2.ClearPatterns();
1639 elist2.AddPattern(
1640 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com.hk/*"));
1641 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1642 elist2, slist2);
1643 EXPECT_FALSE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1644 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1645
1646 // Test that subdomain wildcards are handled properly.
1647 elist2.ClearPatterns();
1648 elist2.AddPattern(
1649 URLPattern(URLPattern::SCHEME_HTTP, "http://*.google.com.hk/*"));
1650 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1651 elist2, slist2);
1652 EXPECT_TRUE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1653 // TODO(jstritar): Does not match subdomains properly. http://crbug.com/65337
1654 // EXPECT_FALSE(provider->IsPrivilegeIncrease(set2, set1, type));
1655
1656 // Test that different domains count as different hosts.
1657 elist2.ClearPatterns();
1658 elist2.AddPattern(
1659 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/path"));
1660 elist2.AddPattern(
1661 URLPattern(URLPattern::SCHEME_HTTP, "http://www.example.org/path"));
1662 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1663 elist2, slist2);
1664 EXPECT_TRUE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1665 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1666
1667 // Test that different subdomains count as different hosts.
1668 elist2.ClearPatterns();
1669 elist2.AddPattern(
1670 URLPattern(URLPattern::SCHEME_HTTP, "http://mail.google.com/*"));
1671 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1672 elist2, slist2);
1673 EXPECT_TRUE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1674 EXPECT_TRUE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1675
1676 // Test that platform apps do not have host permissions increases.
1677 type = Manifest::TYPE_PLATFORM_APP;
1678 EXPECT_FALSE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1679 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1680 }
1681
1682 TEST(PermissionsTest, GetAPIsAsStrings) {
1683 APIPermissionSet apis;
1684 URLPatternSet empty_set;
1685
1686 apis.insert(APIPermission::kProxy);
1687 apis.insert(APIPermission::kBackground);
1688 apis.insert(APIPermission::kNotifications);
1689 apis.insert(APIPermission::kTab);
1690
1691 scoped_refptr<PermissionSet> perm_set = new PermissionSet(
1692 apis, ManifestPermissionSet(), empty_set, empty_set);
1693 std::set<std::string> api_names = perm_set->GetAPIsAsStrings();
1694
1695 // The result is correct if it has the same number of elements
1696 // and we can convert it back to the id set.
1697 EXPECT_EQ(4u, api_names.size());
1698 EXPECT_EQ(apis,
1699 PermissionsInfo::GetInstance()->GetAllByName(api_names));
1700 }
1701
1702 TEST(PermissionsTest, IsEmpty) {
1703 APIPermissionSet empty_apis;
1704 URLPatternSet empty_extent;
1705
1706 scoped_refptr<PermissionSet> empty = new PermissionSet();
1707 EXPECT_TRUE(empty->IsEmpty());
1708 scoped_refptr<PermissionSet> perm_set;
1709
1710 perm_set = new PermissionSet(empty_apis, ManifestPermissionSet(),
1711 empty_extent, empty_extent);
1712 EXPECT_TRUE(perm_set->IsEmpty());
1713
1714 APIPermissionSet non_empty_apis;
1715 non_empty_apis.insert(APIPermission::kBackground);
1716 perm_set = new PermissionSet(non_empty_apis, ManifestPermissionSet(),
1717 empty_extent, empty_extent);
1718 EXPECT_FALSE(perm_set->IsEmpty());
1719
1720 // Try non standard host
1721 URLPatternSet non_empty_extent;
1722 AddPattern(&non_empty_extent, "http://www.google.com/*");
1723
1724 perm_set = new PermissionSet(empty_apis, ManifestPermissionSet(),
1725 non_empty_extent, empty_extent);
1726 EXPECT_FALSE(perm_set->IsEmpty());
1727
1728 perm_set = new PermissionSet(empty_apis, ManifestPermissionSet(),
1729 empty_extent, non_empty_extent);
1730 EXPECT_FALSE(perm_set->IsEmpty());
1731 }
1732
1733 TEST(PermissionsTest, ImpliedPermissions) {
1734 URLPatternSet empty_extent;
1735 APIPermissionSet apis;
1736 apis.insert(APIPermission::kFileBrowserHandler);
1737 EXPECT_EQ(1U, apis.size());
1738
1739 scoped_refptr<PermissionSet> perm_set;
1740 perm_set = new PermissionSet(apis, ManifestPermissionSet(),
1741 empty_extent, empty_extent);
1742 EXPECT_EQ(2U, perm_set->apis().size());
1743 }
1744
1745 TEST(PermissionsTest, SyncFileSystemPermission) {
1746 scoped_refptr<Extension> extension = LoadManifest(
1747 "permissions", "sync_file_system.json");
1748 APIPermissionSet apis;
1749 apis.insert(APIPermission::kSyncFileSystem);
1750 EXPECT_TRUE(extension->is_platform_app());
1751 EXPECT_TRUE(extension->permissions_data()->HasAPIPermission(
1752 APIPermission::kSyncFileSystem));
1753 EXPECT_TRUE(
1754 VerifyOnePermissionMessage(extension->permissions_data(),
1755 "Store data in your Google Drive account"));
1756 }
1757
1758 // Make sure that we don't crash when we're trying to show the permissions
1759 // even though chrome://thumb (and everything that's not chrome://favicon with
1760 // a chrome:// scheme) is not a valid permission.
1761 // More details here: crbug/246314.
1762 TEST(PermissionsTest, ChromeURLs) {
1763 URLPatternSet allowed_hosts;
1764 allowed_hosts.AddPattern(
1765 URLPattern(URLPattern::SCHEME_ALL, "http://www.google.com/"));
1766 allowed_hosts.AddPattern(
1767 URLPattern(URLPattern::SCHEME_ALL, "chrome://favicon/"));
1768 allowed_hosts.AddPattern(
1769 URLPattern(URLPattern::SCHEME_ALL, "chrome://thumb/"));
1770 scoped_refptr<PermissionSet> permissions(
1771 new PermissionSet(APIPermissionSet(), ManifestPermissionSet(),
1772 allowed_hosts, URLPatternSet()));
1773 PermissionMessageProvider::Get()->GetPermissionMessages(
1774 PermissionMessageProvider::Get()->GetAllPermissionIDs(
1775 permissions.get(), Manifest::TYPE_EXTENSION));
1776 }
1777
1778 TEST(PermissionsTest, IsPrivilegeIncrease_DeclarativeWebRequest) {
1779 scoped_refptr<Extension> extension(
1780 LoadManifest("permissions", "permissions_all_urls.json"));
1781 scoped_refptr<const PermissionSet> permissions(
1782 extension->permissions_data()->active_permissions());
1783
1784 scoped_refptr<Extension> extension_dwr(
1785 LoadManifest("permissions", "web_request_all_host_permissions.json"));
1786 scoped_refptr<const PermissionSet> permissions_dwr(
1787 extension_dwr->permissions_data()->active_permissions());
1788
1789 EXPECT_FALSE(PermissionMessageProvider::Get()->
1790 IsPrivilegeIncrease(permissions.get(),
1791 permissions_dwr.get(),
1792 extension->GetType()));
1793 }
1794
1795 } // namespace extensions