1 // Copyright 2014 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROME_BROWSER_EXTENSIONS_EXTENSION_MANAGEMENT_H_ 6 #define CHROME_BROWSER_EXTENSIONS_EXTENSION_MANAGEMENT_H_ 7 8 #include <memory> 9 #include <string> 10 #include <unordered_map> 11 #include <vector> 12 13 #include "base/macros.h" 14 #include "base/memory/ref_counted.h" 15 #include "base/memory/singleton.h" 16 #include "base/observer_list.h" 17 #include "base/values.h" 18 #include "chrome/browser/extensions/forced_extensions/install_stage_tracker.h" 19 #include "components/keyed_service/content/browser_context_keyed_service_factory.h" 20 #include "components/keyed_service/core/keyed_service.h" 21 #include "components/prefs/pref_change_registrar.h" 22 #include "extensions/browser/management_policy.h" 23 #include "extensions/common/extension_id.h" 24 #include "extensions/common/manifest.h" 25 26 class GURL; 27 class PrefService; 28 class Profile; 29 30 namespace content { 31 class BrowserContext; 32 } // namespace content 33 34 namespace extensions { 35 36 namespace internal { 37 38 struct IndividualSettings; 39 struct GlobalSettings; 40 41 } // namespace internal 42 43 class APIPermissionSet; 44 class Extension; 45 class PermissionSet; 46 47 // Tracks the management policies that affect extensions and provides interfaces 48 // for observing and obtaining the global settings for all extensions, as well 49 // as per-extension settings. 50 class ExtensionManagement : public KeyedService { 51 public: 52 // Observer class for extension management settings changes. 53 class Observer { 54 public: ~Observer()55 virtual ~Observer() {} 56 57 // Called when the extension management settings change. 58 virtual void OnExtensionManagementSettingsChanged() = 0; 59 }; 60 61 // Installation mode for extensions, default is INSTALLATION_ALLOWED. 62 // * INSTALLATION_ALLOWED: Extension can be installed. 63 // * INSTALLATION_BLOCKED: Extension cannot be installed. 64 // * INSTALLATION_FORCED: Extension will be installed automatically 65 // and cannot be disabled. 66 // * INSTALLATION_RECOMMENDED: Extension will be installed automatically but 67 // can be disabled. 68 // * INSTALLATION_REMOVED: Extension cannot be installed and will be 69 // automatically removed. 70 enum InstallationMode { 71 INSTALLATION_ALLOWED = 0, 72 INSTALLATION_BLOCKED, 73 INSTALLATION_FORCED, 74 INSTALLATION_RECOMMENDED, 75 INSTALLATION_REMOVED, 76 }; 77 78 // Behavior for "Pin extension to toolbar" from the extensions menu, default 79 // is kDefaultUnpinned 80 // * kDefaultUnpinned: Extension starts unpinned, but the user can still pin 81 // it afterwards. 82 // * kForcePinned: Extension starts pinned to the toolbar, and the user 83 // cannot unpin it. 84 // TODO(crbug.com/1071314): Add kDefaultPinned state. 85 enum class ToolbarPinMode { 86 kDefaultUnpinned = 0, 87 kForcePinned, 88 }; 89 90 explicit ExtensionManagement(Profile* profile); 91 ~ExtensionManagement() override; 92 93 // KeyedService implementations: 94 void Shutdown() override; 95 96 void AddObserver(Observer* observer); 97 void RemoveObserver(Observer* observer); 98 99 // Get the list of ManagementPolicy::Provider controlled by extension 100 // management policy settings. 101 const std::vector<std::unique_ptr<ManagementPolicy::Provider>>& GetProviders() 102 const; 103 104 // Checks if extensions are blocklisted by default, by policy. When true, 105 // this means that even extensions without an ID should be blocklisted (e.g. 106 // from the command line, or when loaded as an unpacked extension). 107 bool BlocklistedByDefault() const; 108 109 // Returns installation mode for an extension. 110 InstallationMode GetInstallationMode(const Extension* extension) const; 111 112 // Returns installation mode for an extension with id |extension_id| and 113 // updated with |update_url|. 114 InstallationMode GetInstallationMode(const ExtensionId& extension_id, 115 const std::string& update_url) const; 116 117 // Returns the force install list, in format specified by 118 // ExternalPolicyLoader::AddExtension(). 119 std::unique_ptr<base::DictionaryValue> GetForceInstallList() const; 120 121 // Like GetForceInstallList(), but returns recommended install list instead. 122 std::unique_ptr<base::DictionaryValue> GetRecommendedInstallList() const; 123 124 // Returns |true| if there is at least one extension with 125 // |INSTALLATION_ALLOWED| as installation mode. This excludes force installed 126 // extensions. 127 bool HasAllowlistedExtension() const; 128 129 // Returns if an extension with id |id| is explicitly allowed by enterprise 130 // policy or not. 131 bool IsInstallationExplicitlyAllowed(const ExtensionId& id) const; 132 133 // Returns if an extension with id |id| is explicitly blocked by enterprise 134 // policy or not. 135 bool IsInstallationExplicitlyBlocked(const ExtensionId& id) const; 136 137 // Returns true if an extension download should be allowed to proceed. 138 bool IsOffstoreInstallAllowed(const GURL& url, 139 const GURL& referrer_url) const; 140 141 // Returns true if an extension with manifest type |manifest_type| and 142 // id |extension_id| is allowed to be installed. 143 bool IsAllowedManifestType(Manifest::Type manifest_type, 144 const std::string& extension_id) const; 145 146 // Returns the list of blocked API permissions for |extension|. 147 APIPermissionSet GetBlockedAPIPermissions(const Extension* extension) const; 148 149 // Returns the list of blocked API permissions for an extension with id 150 // |extension_id| and updated with |update_url|. 151 APIPermissionSet GetBlockedAPIPermissions( 152 const ExtensionId& extension_id, 153 const std::string& update_url) const; 154 155 // Returns the list of hosts blocked by policy for |extension|. 156 const URLPatternSet& GetPolicyBlockedHosts(const Extension* extension) const; 157 158 // Returns the hosts exempted by policy from the PolicyBlockedHosts for 159 // |extension|. 160 const URLPatternSet& GetPolicyAllowedHosts(const Extension* extension) const; 161 162 // Returns the list of hosts blocked by policy for Default scope. This can be 163 // overridden by an individual scope which is queried via 164 // GetPolicyBlockedHosts. 165 const URLPatternSet& GetDefaultPolicyBlockedHosts() const; 166 167 // Returns the hosts exempted by policy from PolicyBlockedHosts for 168 // the default scope. This can be overridden by an individual scope which is 169 // queries via GetPolicyAllowedHosts. This should only be used to 170 // initialize a new renderer. 171 const URLPatternSet& GetDefaultPolicyAllowedHosts() const; 172 173 // Checks if an |extension| has its own runtime_blocked_hosts or 174 // runtime_allowed_hosts defined in the individual scope of the 175 // ExtensionSettings policy. 176 // Returns false if an individual scoped setting isn't defined. 177 bool UsesDefaultPolicyHostRestrictions(const Extension* extension) const; 178 179 // Checks if a URL is on the blocked host permissions list for a specific 180 // extension. 181 bool IsPolicyBlockedHost(const Extension* extension, const GURL& url) const; 182 183 // Returns blocked permission set for |extension|. 184 std::unique_ptr<const PermissionSet> GetBlockedPermissions( 185 const Extension* extension) const; 186 187 // If the extension is blocked from install and a custom error message 188 // was defined returns it. Otherwise returns an empty string. The maximum 189 // string length is 1000 characters. 190 const std::string BlockedInstallMessage(const ExtensionId& id) const; 191 192 // Returns true if every permission in |perms| is allowed for |extension|. 193 bool IsPermissionSetAllowed(const Extension* extension, 194 const PermissionSet& perms) const; 195 196 // Returns true if every permission in |perms| is allowed for an extension 197 // with id |extension_id| and updated with |update_url|. 198 bool IsPermissionSetAllowed(const ExtensionId& extension_id, 199 const std::string& update_url, 200 const PermissionSet& perms) const; 201 202 // Returns true if |extension| meets the minimum required version set for it. 203 // If there is no such requirement set for it, returns true as well. 204 // If false is returned and |required_version| is not null, the minimum 205 // required version is returned. 206 bool CheckMinimumVersion(const Extension* extension, 207 std::string* required_version) const; 208 209 // Returns the list of extensions with "force_pinned" mode for the 210 // "toolbar_pin" setting. 211 ExtensionIdSet GetForcePinnedList() const; 212 213 // Returns whether the profile associated with this instance is supervised. is_child()214 bool is_child() const { return is_child_; } 215 216 private: 217 using SettingsIdMap = 218 std::unordered_map<ExtensionId, 219 std::unique_ptr<internal::IndividualSettings>>; 220 using SettingsUpdateUrlMap = 221 std::unordered_map<std::string, 222 std::unique_ptr<internal::IndividualSettings>>; 223 friend class ExtensionManagementServiceTest; 224 225 // Load all extension management preferences from |pref_service|, and 226 // refresh the settings. 227 void Refresh(); 228 229 // Load preference with name |pref_name| and expected type |expected_type|. 230 // If |force_managed| is true, only loading from the managed preference store 231 // is allowed. Returns NULL if the preference is not present, not allowed to 232 // be loaded from or has the wrong type. 233 const base::Value* LoadPreference(const char* pref_name, 234 bool force_managed, 235 base::Value::Type expected_type) const; 236 237 void OnExtensionPrefChanged(); 238 void NotifyExtensionManagementPrefChanged(); 239 240 // Reports install creation stage to InstallStageTracker for the extensions. 241 // |forced_stage| is reported for the extensions which have installation mode 242 // as INSTALLATION_FORCED, and |other_stage| is reported for all other 243 // installation modes. 244 void ReportExtensionManagementInstallCreationStage( 245 InstallStageTracker::InstallCreationStage forced_stage, 246 InstallStageTracker::InstallCreationStage other_stage); 247 248 // Helper to return an extension install list, in format specified by 249 // ExternalPolicyLoader::AddExtension(). 250 std::unique_ptr<base::DictionaryValue> GetInstallListByMode( 251 InstallationMode installation_mode) const; 252 253 // Helper to update |extension_dict| for forced installs. 254 void UpdateForcedExtensions(const base::DictionaryValue* extension_dict); 255 256 // Helper function to access |settings_by_id_| with |id| as key. 257 // Adds a new IndividualSettings entry to |settings_by_id_| if none exists for 258 // |id| yet. 259 internal::IndividualSettings* AccessById(const ExtensionId& id); 260 261 // Similar to AccessById(), but access |settings_by_update_url_| instead. 262 internal::IndividualSettings* AccessByUpdateUrl( 263 const std::string& update_url); 264 265 // A map containing all IndividualSettings applied to an individual extension 266 // identified by extension ID. The extension ID is used as index key of the 267 // map. 268 SettingsIdMap settings_by_id_; 269 270 // Similar to |settings_by_id_|, but contains the settings for a group of 271 // extensions with same update URL. The update url itself is used as index 272 // key for the map. 273 SettingsUpdateUrlMap settings_by_update_url_; 274 275 // The default IndividualSettings. 276 // For extension settings applied to an individual extension (identified by 277 // extension ID) or a group of extension (with specified extension update 278 // URL), all unspecified part will take value from |default_settings_|. 279 // For all other extensions, all settings from |default_settings_| will be 280 // enforced. 281 std::unique_ptr<internal::IndividualSettings> default_settings_; 282 283 // Extension settings applicable to all extensions. 284 std::unique_ptr<internal::GlobalSettings> global_settings_; 285 286 Profile* const profile_ = nullptr; 287 PrefService* pref_service_ = nullptr; 288 bool is_signin_profile_ = false; 289 bool is_child_ = false; 290 291 base::ObserverList<Observer, true>::Unchecked observer_list_; 292 PrefChangeRegistrar pref_change_registrar_; 293 std::vector<std::unique_ptr<ManagementPolicy::Provider>> providers_; 294 295 DISALLOW_COPY_AND_ASSIGN(ExtensionManagement); 296 }; 297 298 class ExtensionManagementFactory : public BrowserContextKeyedServiceFactory { 299 public: 300 static ExtensionManagement* GetForBrowserContext( 301 content::BrowserContext* context); 302 static ExtensionManagementFactory* GetInstance(); 303 304 private: 305 friend struct base::DefaultSingletonTraits<ExtensionManagementFactory>; 306 307 ExtensionManagementFactory(); 308 ~ExtensionManagementFactory() override; 309 310 // BrowserContextKeyedServiceExtensionManagementFactory: 311 KeyedService* BuildServiceInstanceFor( 312 content::BrowserContext* context) const override; 313 content::BrowserContext* GetBrowserContextToUse( 314 content::BrowserContext* context) const override; 315 void RegisterProfilePrefs( 316 user_prefs::PrefRegistrySyncable* registry) override; 317 318 DISALLOW_COPY_AND_ASSIGN(ExtensionManagementFactory); 319 }; 320 321 } // namespace extensions 322 323 #endif // CHROME_BROWSER_EXTENSIONS_EXTENSION_MANAGEMENT_H_ 324