Home | History | Annotate | Download | only in browser 
      1 // Copyright 2013 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "extensions/browser/admin_policy.h"
      6 
      7 #include "base/strings/utf_string_conversions.h"
      8 #include "extensions/common/extension.h"
      9 #include "extensions/common/manifest.h"
     10 #include "grit/generated_resources.h"
     11 #include "ui/base/l10n/l10n_util.h"
     12 
     13 namespace {
     14 
     15 bool ManagementPolicyImpl(const extensions::Extension* extension,
     16                           string16* error,
     17                           bool modifiable_value) {
     18   bool modifiable =
     19       extension->location() != extensions::Manifest::COMPONENT &&
     20       !extensions::Manifest::IsPolicyLocation(extension->location());
     21   // Some callers equate "no restriction" to true, others to false.
     22   if (modifiable)
     23     return modifiable_value;
     24 
     25   if (error) {
     26     *error = l10n_util::GetStringFUTF16(
     27         IDS_EXTENSION_CANT_MODIFY_POLICY_REQUIRED,
     28         UTF8ToUTF16(extension->name()));
     29   }
     30   return !modifiable_value;
     31 }
     32 
     33 bool ReturnLoadError(const extensions::Extension* extension, string16* error) {
     34   if (error) {
     35     *error = l10n_util::GetStringFUTF16(
     36           IDS_EXTENSION_CANT_INSTALL_POLICY_BLOCKED,
     37           UTF8ToUTF16(extension->name()),
     38           UTF8ToUTF16(extension->id()));
     39   }
     40   return false;
     41 }
     42 
     43 }  // namespace
     44 
     45 namespace extensions {
     46 namespace admin_policy {
     47 
     48 bool BlacklistedByDefault(const base::ListValue* blacklist) {
     49   base::StringValue wildcard("*");
     50   return blacklist && blacklist->Find(wildcard) != blacklist->end();
     51 }
     52 
     53 bool UserMayLoad(const base::ListValue* blacklist,
     54                  const base::ListValue* whitelist,
     55                  const base::DictionaryValue* forcelist,
     56                  const base::ListValue* allowed_types,
     57                  const Extension* extension,
     58                  string16* error) {
     59   // Component extensions are always allowed.
     60   if (extension->location() == Manifest::COMPONENT)
     61     return true;
     62 
     63   // Forced installed extensions cannot be overwritten manually.
     64   if (extension->location() != Manifest::EXTERNAL_POLICY &&
     65       extension->location() != Manifest::EXTERNAL_POLICY_DOWNLOAD &&
     66       forcelist && forcelist->HasKey(extension->id())) {
     67     return ReturnLoadError(extension, error);
     68   }
     69 
     70   // Early exit for the common case of no policy restrictions.
     71   if ((!blacklist || blacklist->empty()) && (!allowed_types))
     72     return true;
     73 
     74   // Check whether the extension type is allowed.
     75   //
     76   // If you get a compile error here saying that the type you added is not
     77   // handled by the switch statement below, please consider whether enterprise
     78   // policy should be able to disallow extensions of the new type. If so, add a
     79   // branch to the second block and add a line to the definition of
     80   // kExtensionAllowedTypesMap in configuration_policy_handler_list.cc.
     81   switch (extension->GetType()) {
     82     case Manifest::TYPE_UNKNOWN:
     83       break;
     84     case Manifest::TYPE_EXTENSION:
     85     case Manifest::TYPE_THEME:
     86     case Manifest::TYPE_USER_SCRIPT:
     87     case Manifest::TYPE_HOSTED_APP:
     88     case Manifest::TYPE_LEGACY_PACKAGED_APP:
     89     case Manifest::TYPE_PLATFORM_APP:
     90     case Manifest::TYPE_SHARED_MODULE:
     91       base::FundamentalValue type_value(extension->GetType());
     92       if (allowed_types &&
     93           allowed_types->Find(type_value) == allowed_types->end())
     94         return ReturnLoadError(extension, error);
     95       break;
     96   }
     97 
     98   // Check the whitelist/forcelist first.
     99   base::StringValue id_value(extension->id());
    100   if ((whitelist && whitelist->Find(id_value) != whitelist->end()) ||
    101       (forcelist && forcelist->HasKey(extension->id())))
    102     return true;
    103 
    104   // Then check the admin blacklist.
    105   if ((blacklist && blacklist->Find(id_value) != blacklist->end()) ||
    106       BlacklistedByDefault(blacklist))
    107     return ReturnLoadError(extension, error);
    108 
    109   return true;
    110 }
    111 
    112 bool UserMayModifySettings(const Extension* extension, string16* error) {
    113   return ManagementPolicyImpl(extension, error, true);
    114 }
    115 
    116 bool MustRemainEnabled(const Extension* extension, string16* error) {
    117   return ManagementPolicyImpl(extension, error, false);
    118 }
    119 
    120 }  // namespace admin_policy
    121 }  // namespace extensions
    122