Bug 1428922 - Implement helper function to support various permissions-type...

Bug 1428922 - Implement helper function to support various permissions-type policies, and use it to implement the Flash, Cookies, Install-Addons and Popups policy. r=mystor MozReview-Commit-ID: Wy1VDEfvqs

Bug 1428922 - Implement helper function to support various permissions-type...
Bug 1428922 - Implement helper function to support various permissions-type policies, and use it to implement the Flash, Cookies, Install-Addons and Popups policy. r=mystor MozReview-Commit-ID: Wy1VDEfvqs
68cdd708 · Felipe Gomes · 074c9ae1 · 68cdd708 · 68cdd708 · 68cdd708
Commit 68cdd708 authored Jan 24, 2018 by Felipe Gomes
--- a/browser/components/enterprisepolicies/Policies.jsm
+++ b/browser/components/enterprisepolicies/Policies.jsm
@@ -40,7 +40,31 @@ this.Policies = {
    onBeforeUIStartup(manager, param) {
      setAndLockPref("browser.shell.checkDefaultBrowser", false);
    }
-  }
+  },
+
+  "flash_plugin": {
+    onBeforeUIStartup(manager, param) {
+      addAllowDenyPermissions("plugin:flash", param.allow, param.block);
+    }
+  },
+
+  "popups": {
+    onBeforeUIStartup(manager, param) {
+      addAllowDenyPermissions("popup", param.allow, param.block);
+    }
+  },
+
+  "install_addons": {
+    onBeforeUIStartup(manager, param) {
+      addAllowDenyPermissions("install", param.allow, param.block);
+    }
+  },
+
+  "cookies": {
+    onBeforeUIStartup(manager, param) {
+      addAllowDenyPermissions("cookie", param.allow, param.block);
+    }
+  },
 };

 /*
@@ -78,3 +102,22 @@ function setAndLockPref(prefName, prefValue) {

  Services.prefs.lockPref(prefName);
 }
+
+function addAllowDenyPermissions(permissionName, allowList, blockList) {
+  allowList = allowList || [];
+  blockList = blockList || [];
+
+  for (let origin of allowList) {
+    Services.perms.add(origin,
+                       permissionName,
+                       Ci.nsIPermissionManager.ALLOW_ACTION,
+                       Ci.nsIPermissionManager.EXPIRE_POLICY);
+  }
+
+  for (let origin of blockList) {
+    Services.perms.add(origin,
+                       permissionName,
+                       Ci.nsIPermissionManager.DENY_ACTION,
+                       Ci.nsIPermissionManager.EXPIRE_POLICY);
+  }
+}
--- a/browser/components/enterprisepolicies/schemas/policies-schema.json
+++ b/browser/components/enterprisepolicies/schemas/policies-schema.json
@@ -2,7 +2,7 @@
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
-     "block_about_config": {
+    "block_about_config": {
      "description": "Blocks access to the about:config page.",
      "first_available": "60.0",

@@ -16,6 +16,94 @@

      "type": "boolean",
      "enum": [true]
+    },
+
+    "flash_plugin": {
+      "description": "Allow or deny flash plugin usage.",
+      "first_available": "60.0",
+
+      "type": "object",
+      "properties": {
+        "allow": {
+          "type": "array",
+          "items": {
+            "type": "origin"
+          }
+        },
+
+        "block": {
+          "type": "array",
+          "items": {
+            "type": "origin"
+          }
+        }
+      }
+    },
+
+    "popups": {
+      "description": "Allow or deny popup usage.",
+      "first_available": "60.0",
+
+      "type": "object",
+      "properties": {
+        "allow": {
+          "type": "array",
+          "items": {
+            "type": "origin"
+          }
+        },
+
+        "block": {
+          "type": "array",
+          "items": {
+            "type": "origin"
+          }
+        }
+      }
+    },
+
+    "install_addons": {
+      "description": "Allow or deny popup websites to install webextensions.",
+      "first_available": "60.0",
+
+      "type": "object",
+      "properties": {
+        "allow": {
+          "type": "array",
+          "items": {
+            "type": "origin"
+          }
+        },
+
+        "block": {
+          "type": "array",
+          "items": {
+            "type": "origin"
+          }
+        }
+      }
+    },
+
+    "cookies": {
+      "description": "Allow or deny websites to set cookies.",
+      "first_available": "60.0",
+
+      "type": "object",
+      "properties": {
+        "allow": {
+          "type": "array",
+          "items": {
+            "type": "origin"
+          }
+        },
+
+        "block": {
+          "type": "array",
+          "items": {
+            "type": "origin"
+          }
+        }
+      }
    }
  }
 }
--- a/browser/components/enterprisepolicies/tests/browser/browser.ini
+++ b/browser/components/enterprisepolicies/tests/browser/browser.ini
@@ -4,11 +4,13 @@ prefs =
 support-files =
  head.js
  config_dont_check_default_browser.json
+  config_popups_cookies_addons_flash.json
  config_setAndLockPref.json
  config_simple_policies.json
  config_broken_json.json

 [browser_policies_broken_json.js]
+[browser_policies_popups_cookies_addons_flash.js]
 [browser_policies_setAndLockPref_API.js]
 [browser_policies_simple_policies.js]
 [browser_policies_validate_and_parse_API.js]

--- a/browser/components/enterprisepolicies/tests/browser/browser_policies_popups_cookies_addons_flash.js
+++ b/browser/components/enterprisepolicies/tests/browser/browser_policies_popups_cookies_addons_flash.js
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+"use strict";
+
+function URI(str) {
+  return Services.io.newURI(str);
+}
+
+add_task(async function test_start_with_disabled_engine() {
+  await startWithCleanSlate();
+});
+
+add_task(async function test_setup_preexisting_permissions() {
+  // Pre-existing ALLOW permissions that should be overriden
+  // with DENY.
+  Services.perms.add(URI("https://www.pre-existing-allow.com"),
+                     "popup",
+                     Ci.nsIPermissionManager.ALLOW_ACTION,
+                     Ci.nsIPermissionManager.EXPIRE_SESSION);
+
+  Services.perms.add(URI("https://www.pre-existing-allow.com"),
+                     "install",
+                     Ci.nsIPermissionManager.ALLOW_ACTION,
+                     Ci.nsIPermissionManager.EXPIRE_SESSION);
+
+  Services.perms.add(URI("https://www.pre-existing-allow.com"),
+                     "cookie",
+                     Ci.nsIPermissionManager.ALLOW_ACTION,
+                     Ci.nsIPermissionManager.EXPIRE_SESSION);
+
+  Services.perms.add(URI("https://www.pre-existing-allow.com"),
+                     "plugin:flash",
+                     Ci.nsIPermissionManager.ALLOW_ACTION,
+                     Ci.nsIPermissionManager.EXPIRE_SESSION);
+
+  // Pre-existing DENY permissions that should be overriden
+  // with ALLOW.
+  Services.perms.add(URI("https://www.pre-existing-deny.com"),
+                     "popup",
+                     Ci.nsIPermissionManager.DENY_ACTION,
+                     Ci.nsIPermissionManager.EXPIRE_SESSION);
+
+  Services.perms.add(URI("https://www.pre-existing-deny.com"),
+                     "install",
+                     Ci.nsIPermissionManager.DENY_ACTION,
+                     Ci.nsIPermissionManager.EXPIRE_SESSION);
+
+  Services.perms.add(URI("https://www.pre-existing-deny.com"),
+                     "cookie",
+                     Ci.nsIPermissionManager.DENY_ACTION,
+                     Ci.nsIPermissionManager.EXPIRE_SESSION);
+
+  Services.perms.add(URI("https://www.pre-existing-deny.com"),
+                     "plugin:flash",
+                     Ci.nsIPermissionManager.DENY_ACTION,
+                     Ci.nsIPermissionManager.EXPIRE_SESSION);
+});
+
+add_task(async function test_setup_activate_policies() {
+  await setupPolicyEngineWithJson("config_popups_cookies_addons_flash.json");
+  is(Services.policies.status, Ci.nsIEnterprisePolicies.ACTIVE, "Engine is active");
+});
+
+function checkPermission(url, expected, permissionName) {
+  let expectedValue = Ci.nsIPermissionManager[`${expected}_ACTION`];
+  let uri = Services.io.newURI(`https://www.${url}`);
+
+  is(Services.perms.testPermission(uri, permissionName),
+    expectedValue,
+    `Correct (${permissionName}=${expected}) for URL ${url}`);
+
+  if (expected != "UNKNOWN") {
+    let permission = Services.perms.getPermissionObjectForURI(
+      uri, permissionName, true);
+    ok(permission, "Permission object exists");
+    is(permission.expireType, Ci.nsIPermissionManager.EXPIRE_POLICY,
+       "Permission expireType is correct");
+  }
+}
+
+function checkAllPermissionsForType(type) {
+  checkPermission("allow.com", "ALLOW", type);
+  checkPermission("deny.com", "DENY", type);
+  checkPermission("unknown.com", "UNKNOWN", type);
+  checkPermission("pre-existing-allow.com", "DENY", type);
+  checkPermission("pre-existing-deny.com", "ALLOW", type);
+}
+
+add_task(async function test_popups_policy() {
+  checkAllPermissionsForType("popup");
+});
+
+add_task(async function test_webextensions_policy() {
+  checkAllPermissionsForType("install");
+});
+
+add_task(async function test_cookies_policy() {
+  checkAllPermissionsForType("cookie");
+});
+
+add_task(async function test_flash_policy() {
+  checkAllPermissionsForType("plugin:flash");
+});
+
+add_task(async function test_change_permission() {
+  // Checks that changing a permission will still retain the
+  // value set through the engine.
+  Services.perms.add(URI("https://www.allow.com"), "popup",
+                     Ci.nsIPermissionManager.DENY_ACTION,
+                     Ci.nsIPermissionManager.EXPIRE_SESSION);
+
+  checkPermission("allow.com", "ALLOW", "popup");
+
+  // Also change one un-managed permission to make sure it doesn't
+  // cause any problems to the policy engine or the permission manager.
+  Services.perms.add(URI("https://www.unmanaged.com"), "popup",
+                   Ci.nsIPermissionManager.DENY_ACTION,
+                   Ci.nsIPermissionManager.EXPIRE_SESSION);
+});
--- a/browser/components/enterprisepolicies/tests/browser/config_popups_cookies_addons_flash.json
+++ b/browser/components/enterprisepolicies/tests/browser/config_popups_cookies_addons_flash.json
+{
+  "policies": {
+    "popups": {
+      "allow": [
+        "https://www.allow.com",
+        "https://www.pre-existing-deny.com"
+      ],
+
+      "block": [
+        "https://www.deny.com",
+        "https://www.pre-existing-allow.com"
+      ]
+    },
+
+    "cookies": {
+      "allow": [
+        "https://www.allow.com",
+        "https://www.pre-existing-deny.com"
+      ],
+
+      "block": [
+        "https://www.deny.com",
+        "https://www.pre-existing-allow.com"
+      ]
+    },
+
+    "install_addons": {
+      "allow": [
+        "https://www.allow.com",
+        "https://www.pre-existing-deny.com"
+      ],
+
+      "block": [
+        "https://www.deny.com",
+        "https://www.pre-existing-allow.com"
+      ]
+    },
+
+    "flash_plugin": {
+      "allow": [
+        "https://www.allow.com",
+        "https://www.pre-existing-deny.com"
+      ],
+
+      "block": [
+        "https://www.deny.com",
+        "https://www.pre-existing-allow.com"
+      ]
+    }
+  }
+}