Source code

Revision control

Copy as Markdown

Other Tools

/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "mozilla/AbstractThread.h"
#include "mozilla/AppShutdown.h"
#ifdef MOZ_BACKGROUNDTASKS
# include "mozilla/BackgroundTasks.h"
#endif
#include "mozilla/BasePrincipal.h"
#include "mozilla/ClearOnShutdown.h"
#include "mozilla/ContentPrincipal.h"
#include "mozilla/DebugOnly.h"
#include "mozilla/dom/CanonicalBrowsingContext.h"
#include "mozilla/dom/ContentParent.h"
#include "mozilla/dom/Document.h"
#include "mozilla/dom/WindowGlobalParent.h"
#include "mozilla/ExpandedPrincipal.h"
#include "mozilla/net/NeckoMessageUtils.h"
#include "mozilla/Permission.h"
#include "mozilla/PermissionManager.h"
#include "mozilla/Preferences.h"
#include "mozilla/ScopeExit.h"
#include "mozilla/StaticPrefs_permissions.h"
#include "mozilla/Telemetry.h"
#include "mozIStorageService.h"
#include "mozIStorageConnection.h"
#include "mozIStorageStatement.h"
#include "mozStorageCID.h"
#include "nsAppDirectoryServiceDefs.h"
#include "nsComponentManagerUtils.h"
#include "nsContentUtils.h"
#include "nsCRT.h"
#include "nsDebug.h"
#include "nsEffectiveTLDService.h"
#include "nsIConsoleService.h"
#include "nsIUserIdleService.h"
#include "nsIInputStream.h"
#include "nsINavHistoryService.h"
#include "nsIObserverService.h"
#include "nsIPrefBranch.h"
#include "nsIPrincipal.h"
#include "nsIURIMutator.h"
#include "nsIWritablePropertyBag2.h"
#include "nsReadLine.h"
#include "nsStringFwd.h"
#include "nsTHashSet.h"
#include "nsToolkitCompsCID.h"
using namespace mozilla::dom;
namespace mozilla {
#define PERMISSIONS_FILE_NAME "permissions.sqlite"
#define HOSTS_SCHEMA_VERSION 12
// Default permissions are read from a URL - this is the preference we read
// to find that URL. If not set, don't use any default permissions.
constexpr char kDefaultsUrlPrefName[] = "permissions.manager.defaultsUrl";
constexpr char kPermissionChangeNotification[] = PERM_CHANGE_NOTIFICATION;
// A special value for a permission ID that indicates the ID was loaded as
// a default value. These will never be written to the database, but may
// be overridden with an explicit permission (including UNKNOWN_ACTION)
constexpr int64_t cIDPermissionIsDefault = -1;
static StaticRefPtr<PermissionManager> gPermissionManager;
#define ENSURE_NOT_CHILD_PROCESS_(onError) \
PR_BEGIN_MACRO \
if (IsChildProcess()) { \
NS_ERROR("Cannot perform action in content process!"); \
onError \
} \
PR_END_MACRO
#define ENSURE_NOT_CHILD_PROCESS \
ENSURE_NOT_CHILD_PROCESS_({ return NS_ERROR_NOT_AVAILABLE; })
#define ENSURE_NOT_CHILD_PROCESS_NORET ENSURE_NOT_CHILD_PROCESS_(;)
#define EXPIRY_NOW PR_Now() / 1000
////////////////////////////////////////////////////////////////////////////////
namespace {
bool IsChildProcess() { return XRE_IsContentProcess(); }
void LogToConsole(const nsAString& aMsg) {
nsCOMPtr<nsIConsoleService> console(
do_GetService("@mozilla.org/consoleservice;1"));
if (!console) {
NS_WARNING("Failed to log message to console.");
return;
}
nsAutoString msg(aMsg);
console->LogStringMessage(msg.get());
}
// NOTE: an empty string can be passed as aType - if it is this function will
// return "false" unconditionally.
bool HasDefaultPref(const nsACString& aType) {
// A list of permissions that can have a fallback default permission
// set under the permissions.default.* pref.
static const nsLiteralCString kPermissionsWithDefaults[] = {
"camera"_ns, "microphone"_ns, "geo"_ns, "desktop-notification"_ns,
"shortcuts"_ns, "screen-wake-lock"_ns};
if (!aType.IsEmpty()) {
for (const auto& perm : kPermissionsWithDefaults) {
if (perm.Equals(aType)) {
return true;
}
}
}
return false;
}
// These permissions are special permissions which must be transmitted to the
// content process before documents with their principals have loaded within
// that process.
//
// Permissions which are in this list are considered to have a "" permission
// key, even if their principal would not normally have that key.
static const nsLiteralCString kPreloadPermissions[] = {
// This permission is preloaded to support properly blocking service worker
// interception when a user has disabled storage for a specific site. Once
// service worker interception moves to the parent process this should be
// removed. See bug 1428130.
"cookie"_ns, "https-only-load-insecure"_ns};
// NOTE: nullptr can be passed as aType - if it is this function will return
// "false" unconditionally.
bool IsPreloadPermission(const nsACString& aType) {
if (!aType.IsEmpty()) {
for (const auto& perm : kPreloadPermissions) {
if (perm.Equals(aType)) {
return true;
}
}
}
return false;
}
// Array of permission types which should not be isolated by origin attributes,
// for user context and private browsing.
// Keep this array in sync with 'STRIPPED_PERMS' in
// 'test_permmanager_oa_strip.js'
// Currently only preloaded permissions are supported.
// This is because perms are sent to the content process in bulk by perm key.
// Non-preloaded, but OA stripped permissions would not be accessible by sites
// in private browsing / non-default user context.
static constexpr std::array<nsLiteralCString, 2> kStripOAPermissions = {
{"cookie"_ns, "https-only-load-insecure"_ns}};
bool IsOAForceStripPermission(const nsACString& aType) {
if (aType.IsEmpty()) {
return false;
}
for (const auto& perm : kStripOAPermissions) {
if (perm.Equals(aType)) {
return true;
}
}
return false;
}
// Array of permission prefixes which should be isolated only by site.
// These site-scoped permissions are stored under their site's principal.
// GetAllForPrincipal also needs to look for these especially.
static constexpr std::array<nsLiteralCString, 3> kSiteScopedPermissions = {
{"3rdPartyStorage^"_ns, "AllowStorageAccessRequest^"_ns,
"3rdPartyFrameStorage^"_ns}};
bool IsSiteScopedPermission(const nsACString& aType) {
if (aType.IsEmpty()) {
return false;
}
for (const auto& perm : kSiteScopedPermissions) {
if (aType.Length() >= perm.Length() &&
Substring(aType, 0, perm.Length()) == perm) {
return true;
}
}
return false;
}
// Array of permission type prefixes which have a secondary key encoded in the
// permission type. These permissions will not be stored in-process with the
// secondary key, but updates to them will cause "perm-changed" notifications on
// processes for that key.
static constexpr std::array<nsLiteralCString, 3> kSecondaryKeyedPermissions = {
{"3rdPartyStorage^"_ns, "AllowStorageAccessRequest^"_ns,
"3rdPartyFrameStorage^"_ns}};
bool GetSecondaryKey(const nsACString& aType, nsACString& aSecondaryKey) {
aSecondaryKey.Truncate();
if (aType.IsEmpty()) {
return false;
}
for (const auto& perm : kSecondaryKeyedPermissions) {
if (aType.Length() > perm.Length() &&
Substring(aType, 0, perm.Length()) == perm) {
aSecondaryKey = Substring(aType, perm.Length());
return true;
}
}
return false;
}
void OriginAppendOASuffix(OriginAttributes aOriginAttributes,
bool aForceStripOA, nsACString& aOrigin) {
PermissionManager::MaybeStripOriginAttributes(aForceStripOA,
aOriginAttributes);
nsAutoCString oaSuffix;
aOriginAttributes.CreateSuffix(oaSuffix);
aOrigin.Append(oaSuffix);
}
nsresult GetOriginFromPrincipal(nsIPrincipal* aPrincipal, bool aForceStripOA,
nsACString& aOrigin) {
nsresult rv = aPrincipal->GetOriginNoSuffix(aOrigin);
// The principal may belong to the about:blank content viewer, so this can be
// expected to fail.
if (NS_FAILED(rv)) {
return rv;
}
nsAutoCString suffix;
rv = aPrincipal->GetOriginSuffix(suffix);
NS_ENSURE_SUCCESS(rv, rv);
OriginAttributes attrs;
NS_ENSURE_TRUE(attrs.PopulateFromSuffix(suffix), NS_ERROR_FAILURE);
OriginAppendOASuffix(attrs, aForceStripOA, aOrigin);
return NS_OK;
}
// Returns the site of the principal, including OA, given a principal.
nsresult GetSiteFromPrincipal(nsIPrincipal* aPrincipal, bool aForceStripOA,
nsACString& aSite) {
nsCOMPtr<nsIURI> uri = aPrincipal->GetURI();
nsEffectiveTLDService* etld = nsEffectiveTLDService::GetInstance();
NS_ENSURE_TRUE(etld, NS_ERROR_FAILURE);
NS_ENSURE_TRUE(uri, NS_ERROR_FAILURE);
nsresult rv = etld->GetSite(uri, aSite);
// The principal may belong to the about:blank content viewer, so this can be
// expected to fail.
if (NS_FAILED(rv)) {
rv = aPrincipal->GetOrigin(aSite);
NS_ENSURE_SUCCESS(rv, rv);
return NS_OK;
}
nsAutoCString suffix;
rv = aPrincipal->GetOriginSuffix(suffix);
NS_ENSURE_SUCCESS(rv, rv);
OriginAttributes attrs;
NS_ENSURE_TRUE(attrs.PopulateFromSuffix(suffix), NS_ERROR_FAILURE);
OriginAppendOASuffix(attrs, aForceStripOA, aSite);
return NS_OK;
}
nsresult GetOriginFromURIAndOA(nsIURI* aURI,
const OriginAttributes* aOriginAttributes,
bool aForceStripOA, nsACString& aOrigin) {
nsAutoCString origin(aOrigin);
nsresult rv = ContentPrincipal::GenerateOriginNoSuffixFromURI(aURI, origin);
NS_ENSURE_SUCCESS(rv, rv);
OriginAppendOASuffix(*aOriginAttributes, aForceStripOA, origin);
aOrigin = origin;
return NS_OK;
}
nsresult GetPrincipalFromOrigin(const nsACString& aOrigin, bool aForceStripOA,
nsIPrincipal** aPrincipal) {
nsAutoCString originNoSuffix;
OriginAttributes attrs;
if (!attrs.PopulateFromOrigin(aOrigin, originNoSuffix)) {
return NS_ERROR_FAILURE;
}
PermissionManager::MaybeStripOriginAttributes(aForceStripOA, attrs);
nsCOMPtr<nsIURI> uri;
nsresult rv = NS_NewURI(getter_AddRefs(uri), originNoSuffix);
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsIPrincipal> principal =
BasePrincipal::CreateContentPrincipal(uri, attrs);
principal.forget(aPrincipal);
return NS_OK;
}
nsresult GetPrincipal(nsIURI* aURI, nsIPrincipal** aPrincipal) {
OriginAttributes attrs;
nsCOMPtr<nsIPrincipal> principal =
BasePrincipal::CreateContentPrincipal(aURI, attrs);
NS_ENSURE_TRUE(principal, NS_ERROR_FAILURE);
principal.forget(aPrincipal);
return NS_OK;
}
nsCString GetNextSubDomainForHost(const nsACString& aHost) {
nsCString subDomain;
nsresult rv =
nsEffectiveTLDService::GetInstance()->GetNextSubDomain(aHost, subDomain);
// We can fail if there is no more subdomain or if the host can't have a
// subdomain.
if (NS_FAILED(rv)) {
return ""_ns;
}
return subDomain;
}
// This function produces a nsIURI which is identical to the current
// nsIURI, except that it has one less subdomain segment. It returns
// `nullptr` if there are no more segments to remove.
already_AddRefed<nsIURI> GetNextSubDomainURI(nsIURI* aURI) {
nsAutoCString host;
nsresult rv = aURI->GetHost(host);
if (NS_FAILED(rv)) {
return nullptr;
}
nsCString domain = GetNextSubDomainForHost(host);
if (domain.IsEmpty()) {
return nullptr;
}
nsCOMPtr<nsIURI> uri;
rv = NS_MutateURI(aURI).SetHost(domain).Finalize(uri);
if (NS_FAILED(rv) || !uri) {
return nullptr;
}
return uri.forget();
}
nsresult UpgradeHostToOriginAndInsert(
const nsACString& aHost, const nsCString& aType, uint32_t aPermission,
uint32_t aExpireType, int64_t aExpireTime, int64_t aModificationTime,
std::function<nsresult(const nsACString& aOrigin, const nsCString& aType,
uint32_t aPermission, uint32_t aExpireType,
int64_t aExpireTime, int64_t aModificationTime)>&&
aCallback) {
if (aHost.EqualsLiteral("<file>")) {
// We no longer support the magic host <file>
NS_WARNING(
"The magic host <file> is no longer supported. "
"It is being removed from the permissions database.");
return NS_OK;
}
// First, we check to see if the host is a valid URI. If it is, it can be
// imported directly
nsCOMPtr<nsIURI> uri;
nsresult rv = NS_NewURI(getter_AddRefs(uri), aHost);
if (NS_SUCCEEDED(rv)) {
// It was previously possible to insert useless entries to your permissions
// database for URIs which have a null principal. This acts as a cleanup,
// getting rid of these useless database entries
if (uri->SchemeIs("moz-nullprincipal")) {
NS_WARNING("A moz-nullprincipal: permission is being discarded.");
return NS_OK;
}
nsCOMPtr<nsIPrincipal> principal;
rv = GetPrincipal(uri, getter_AddRefs(principal));
NS_ENSURE_SUCCESS(rv, rv);
nsAutoCString origin;
rv = GetOriginFromPrincipal(principal, IsOAForceStripPermission(aType),
origin);
NS_ENSURE_SUCCESS(rv, rv);
aCallback(origin, aType, aPermission, aExpireType, aExpireTime,
aModificationTime);
return NS_OK;
}
// The user may use this host at non-standard ports or protocols, we can use
// their history to guess what ports and protocols we want to add permissions
// for. We find every URI which they have visited with this host (or a
// subdomain of this host), and try to add it as a principal.
bool foundHistory = false;
nsCOMPtr<nsINavHistoryService> histSrv = nullptr;
if (NS_IsMainThread()) {
histSrv = do_GetService(NS_NAVHISTORYSERVICE_CONTRACTID);
}
if (histSrv) {
nsCOMPtr<nsINavHistoryQuery> histQuery;
rv = histSrv->GetNewQuery(getter_AddRefs(histQuery));
NS_ENSURE_SUCCESS(rv, rv);
// Get the eTLD+1 of the domain
nsAutoCString eTLD1;
rv = nsEffectiveTLDService::GetInstance()->GetBaseDomainFromHost(aHost, 0,
eTLD1);
if (NS_FAILED(rv)) {
// If the lookup on the tldService for the base domain for the host
// failed, that means that we just want to directly use the host as the
// host name for the lookup.
eTLD1 = aHost;
}
// We want to only find history items for this particular eTLD+1, and
// subdomains
rv = histQuery->SetDomain(eTLD1);
NS_ENSURE_SUCCESS(rv, rv);
rv = histQuery->SetDomainIsHost(false);
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsINavHistoryQueryOptions> histQueryOpts;
rv = histSrv->GetNewQueryOptions(getter_AddRefs(histQueryOpts));
NS_ENSURE_SUCCESS(rv, rv);
// We want to get the URIs for every item in the user's history with the
// given host
rv =
histQueryOpts->SetResultType(nsINavHistoryQueryOptions::RESULTS_AS_URI);
NS_ENSURE_SUCCESS(rv, rv);
// We only search history, because searching both bookmarks and history
// is not supported, and history tends to be more comprehensive.
rv = histQueryOpts->SetQueryType(
nsINavHistoryQueryOptions::QUERY_TYPE_HISTORY);
NS_ENSURE_SUCCESS(rv, rv);
// We include hidden URIs (such as those visited via iFrames) as they may
// have permissions too
rv = histQueryOpts->SetIncludeHidden(true);
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsINavHistoryResult> histResult;
rv = histSrv->ExecuteQuery(histQuery, histQueryOpts,
getter_AddRefs(histResult));
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsINavHistoryContainerResultNode> histResultContainer;
rv = histResult->GetRoot(getter_AddRefs(histResultContainer));
NS_ENSURE_SUCCESS(rv, rv);
rv = histResultContainer->SetContainerOpen(true);
NS_ENSURE_SUCCESS(rv, rv);
uint32_t childCount = 0;
rv = histResultContainer->GetChildCount(&childCount);
NS_ENSURE_SUCCESS(rv, rv);
nsTHashSet<nsCString> insertedOrigins;
for (uint32_t i = 0; i < childCount; i++) {
nsCOMPtr<nsINavHistoryResultNode> child;
histResultContainer->GetChild(i, getter_AddRefs(child));
if (NS_WARN_IF(NS_FAILED(rv))) continue;
uint32_t type;
rv = child->GetType(&type);
if (NS_WARN_IF(NS_FAILED(rv)) ||
type != nsINavHistoryResultNode::RESULT_TYPE_URI) {
NS_WARNING(
"Unexpected non-RESULT_TYPE_URI node in "
"UpgradeHostToOriginAndInsert()");
continue;
}
nsAutoCString uriSpec;
rv = child->GetUri(uriSpec);
if (NS_WARN_IF(NS_FAILED(rv))) continue;
nsCOMPtr<nsIURI> uri;
rv = NS_NewURI(getter_AddRefs(uri), uriSpec);
if (NS_WARN_IF(NS_FAILED(rv))) continue;
// Use the provided host - this URI may be for a subdomain, rather than
// the host we care about.
rv = NS_MutateURI(uri).SetHost(aHost).Finalize(uri);
if (NS_WARN_IF(NS_FAILED(rv))) continue;
// We now have a URI which we can make a nsIPrincipal out of
nsCOMPtr<nsIPrincipal> principal;
rv = GetPrincipal(uri, getter_AddRefs(principal));
if (NS_WARN_IF(NS_FAILED(rv))) continue;
nsAutoCString origin;
rv = GetOriginFromPrincipal(principal, IsOAForceStripPermission(aType),
origin);
if (NS_WARN_IF(NS_FAILED(rv))) continue;
// Ensure that we don't insert the same origin repeatedly
if (insertedOrigins.Contains(origin)) {
continue;
}
foundHistory = true;
rv = aCallback(origin, aType, aPermission, aExpireType, aExpireTime,
aModificationTime);
NS_WARNING_ASSERTION(NS_SUCCEEDED(rv), "Insert failed");
insertedOrigins.Insert(origin);
}
rv = histResultContainer->SetContainerOpen(false);
NS_ENSURE_SUCCESS(rv, rv);
}
// If we didn't find any origins for this host in the poermissions database,
// we can insert the default http:// and https:// permissions into the
// database. This has a relatively high likelihood of applying the permission
// to the correct origin.
if (!foundHistory) {
nsAutoCString hostSegment;
nsCOMPtr<nsIPrincipal> principal;
nsAutoCString origin;
// If this is an ipv6 URI, we need to surround it in '[', ']' before trying
// to parse it as a URI.
if (aHost.FindChar(':') != -1) {
hostSegment.AssignLiteral("[");
hostSegment.Append(aHost);
hostSegment.AppendLiteral("]");
} else {
hostSegment.Assign(aHost);
}
// http:// URI default
rv = NS_NewURI(getter_AddRefs(uri), "http://"_ns + hostSegment);
NS_ENSURE_SUCCESS(rv, rv);
rv = GetPrincipal(uri, getter_AddRefs(principal));
NS_ENSURE_SUCCESS(rv, rv);
rv = GetOriginFromPrincipal(principal, IsOAForceStripPermission(aType),
origin);
NS_ENSURE_SUCCESS(rv, rv);
aCallback(origin, aType, aPermission, aExpireType, aExpireTime,
aModificationTime);
// https:// URI default
rv = NS_NewURI(getter_AddRefs(uri), "https://"_ns + hostSegment);
NS_ENSURE_SUCCESS(rv, rv);
rv = GetPrincipal(uri, getter_AddRefs(principal));
NS_ENSURE_SUCCESS(rv, rv);
rv = GetOriginFromPrincipal(principal, IsOAForceStripPermission(aType),
origin);
NS_ENSURE_SUCCESS(rv, rv);
aCallback(origin, aType, aPermission, aExpireType, aExpireTime,
aModificationTime);
}
return NS_OK;
}
bool IsExpandedPrincipal(nsIPrincipal* aPrincipal) {
nsCOMPtr<nsIExpandedPrincipal> ep = do_QueryInterface(aPrincipal);
return !!ep;
}
// We only want to persist permissions which don't have session or policy
// expiration.
bool IsPersistentExpire(uint32_t aExpire, const nsACString& aType) {
bool res = (aExpire != nsIPermissionManager::EXPIRE_SESSION &&
aExpire != nsIPermissionManager::EXPIRE_POLICY);
return res;
}
nsresult NotifySecondaryKeyPermissionUpdateInContentProcess(
const nsACString& aType, uint32_t aPermission,
const nsACString& aSecondaryKey, nsIPrincipal* aTopPrincipal) {
NS_ENSURE_ARG_POINTER(aTopPrincipal);
MOZ_ASSERT(XRE_IsParentProcess());
AutoTArray<RefPtr<BrowsingContextGroup>, 5> bcGroups;
BrowsingContextGroup::GetAllGroups(bcGroups);
for (const auto& bcGroup : bcGroups) {
for (const auto& topBC : bcGroup->Toplevels()) {
CanonicalBrowsingContext* topCBC = topBC->Canonical();
RefPtr<nsIURI> topURI = topCBC->GetCurrentURI();
if (!topURI) {
continue;
}
bool thirdParty;
nsresult rv = aTopPrincipal->IsThirdPartyURI(topURI, &thirdParty);
if (NS_FAILED(rv)) {
continue;
}
if (!thirdParty) {
AutoTArray<RefPtr<BrowsingContext>, 5> bcs;
topBC->GetAllBrowsingContextsInSubtree(bcs);
for (const auto& bc : bcs) {
CanonicalBrowsingContext* cbc = bc->Canonical();
ContentParent* cp = cbc->GetContentParent();
if (!cp) {
continue;
}
if (cp->NeedsSecondaryKeyPermissionsUpdate(aSecondaryKey)) {
WindowGlobalParent* wgp = cbc->GetCurrentWindowGlobal();
if (!wgp) {
continue;
}
bool success = wgp->SendNotifyPermissionChange(aType, aPermission);
Unused << NS_WARN_IF(!success);
}
}
}
}
}
return NS_OK;
}
} // namespace
////////////////////////////////////////////////////////////////////////////////
PermissionManager::PermissionKey*
PermissionManager::PermissionKey::CreateFromPrincipal(nsIPrincipal* aPrincipal,
bool aForceStripOA,
bool aScopeToSite,
nsresult& aResult) {
nsAutoCString keyString;
if (aScopeToSite) {
aResult = GetSiteFromPrincipal(aPrincipal, aForceStripOA, keyString);
} else {
aResult = GetOriginFromPrincipal(aPrincipal, aForceStripOA, keyString);
}
if (NS_WARN_IF(NS_FAILED(aResult))) {
return nullptr;
}
return new PermissionKey(keyString);
}
PermissionManager::PermissionKey*
PermissionManager::PermissionKey::CreateFromURIAndOriginAttributes(
nsIURI* aURI, const OriginAttributes* aOriginAttributes, bool aForceStripOA,
nsresult& aResult) {
nsAutoCString origin;
aResult =
GetOriginFromURIAndOA(aURI, aOriginAttributes, aForceStripOA, origin);
if (NS_WARN_IF(NS_FAILED(aResult))) {
return nullptr;
}
return new PermissionKey(origin);
}
PermissionManager::PermissionKey*
PermissionManager::PermissionKey::CreateFromURI(nsIURI* aURI,
nsresult& aResult) {
nsAutoCString origin;
aResult = ContentPrincipal::GenerateOriginNoSuffixFromURI(aURI, origin);
if (NS_WARN_IF(NS_FAILED(aResult))) {
return nullptr;
}
return new PermissionKey(origin);
}
////////////////////////////////////////////////////////////////////////////////
// PermissionManager Implementation
NS_IMPL_ISUPPORTS(PermissionManager, nsIPermissionManager, nsIObserver,
nsISupportsWeakReference, nsIAsyncShutdownBlocker)
PermissionManager::PermissionManager()
: mMonitor("PermissionManager::mMonitor"),
mState(eInitializing),
mMemoryOnlyDB(false),
mLargestID(0) {}
PermissionManager::~PermissionManager() {
// NOTE: Make sure to reject each of the promises in mPermissionKeyPromiseMap
// before destroying.
for (const auto& promise : mPermissionKeyPromiseMap.Values()) {
if (promise) {
promise->Reject(NS_ERROR_FAILURE, __func__);
}
}
mPermissionKeyPromiseMap.Clear();
if (mThread) {
mThread->Shutdown();
mThread = nullptr;
}
}
/* static */
StaticMutex PermissionManager::sCreationMutex;
// static
already_AddRefed<nsIPermissionManager> PermissionManager::GetXPCOMSingleton() {
// The lazy initialization could race.
StaticMutexAutoLock lock(sCreationMutex);
if (gPermissionManager) {
return do_AddRef(gPermissionManager);
}
// Create a new singleton PermissionManager.
// We AddRef only once since XPCOM has rules about the ordering of module
// teardowns - by the time our module destructor is called, it's too late to
// Release our members, since GC cycles have already been completed and
// would result in serious leaks.
// See bug 209571.
auto permManager = MakeRefPtr<PermissionManager>();
if (NS_SUCCEEDED(permManager->Init())) {
gPermissionManager = permManager.get();
return permManager.forget();
}
return nullptr;
}
// static
PermissionManager* PermissionManager::GetInstance() {
// TODO: There is a minimal chance that we can race here with a
// GetXPCOMSingleton call that did not yet set gPermissionManager.
// See bug 1745056.
if (!gPermissionManager) {
// Hand off the creation of the permission manager to GetXPCOMSingleton.
nsCOMPtr<nsIPermissionManager> permManager = GetXPCOMSingleton();
}
return gPermissionManager;
}
nsresult PermissionManager::Init() {
// If we are already shutting down, do not permit a creation.
// This must match the phase in GetAsyncShutdownBarrier.
if (AppShutdown::IsInOrBeyond(ShutdownPhase::XPCOMWillShutdown)) {
return NS_ERROR_ILLEGAL_DURING_SHUTDOWN;
}
// If the 'permissions.memory_only' pref is set to true, then don't write any
// permission settings to disk, but keep them in a memory-only database.
mMemoryOnlyDB = Preferences::GetBool("permissions.memory_only", false);
nsresult rv;
nsCOMPtr<nsIPrefService> prefService =
do_GetService(NS_PREFSERVICE_CONTRACTID, &rv);
NS_ENSURE_SUCCESS(rv, rv);
rv = prefService->GetBranch("permissions.default.",
getter_AddRefs(mDefaultPrefBranch));
NS_ENSURE_SUCCESS(rv, rv);
if (IsChildProcess()) {
// Stop here; we don't need the DB in the child process. Instead we will be
// sent permissions as we need them by our parent process.
mState = eReady;
// We use ClearOnShutdown on the content process only because on the parent
// process we need to block the shutdown for the final closeDB() call.
ClearOnShutdown(&gPermissionManager);
return NS_OK;
}
nsCOMPtr<nsIObserverService> observerService = services::GetObserverService();
if (observerService) {
observerService->AddObserver(this, "profile-do-change", true);
observerService->AddObserver(this, "profile-after-change", true);
observerService->AddObserver(this, "testonly-reload-permissions-from-disk",
true);
}
if (XRE_IsParentProcess()) {
nsCOMPtr<nsIAsyncShutdownClient> asc = GetAsyncShutdownBarrier();
if (!asc) {
return NS_ERROR_NOT_AVAILABLE;
}
nsAutoString blockerName;
MOZ_ALWAYS_SUCCEEDS(GetName(blockerName));
nsresult rv = asc->AddBlocker(
this, NS_LITERAL_STRING_FROM_CSTRING(__FILE__), __LINE__, blockerName);
NS_ENSURE_SUCCESS(rv, rv);
}
AddIdleDailyMaintenanceJob();
MOZ_ASSERT(!mThread);
NS_ENSURE_SUCCESS(NS_NewNamedThread("Permission", getter_AddRefs(mThread)),
NS_ERROR_FAILURE);
PRThread* prThread;
MOZ_ALWAYS_SUCCEEDS(mThread->GetPRThread(&prThread));
MOZ_ASSERT(prThread);
mThreadBoundData.Transfer(prThread);
InitDB(false);
return NS_OK;
}
nsresult PermissionManager::OpenDatabase(nsIFile* aPermissionsFile) {
MOZ_ASSERT(!NS_IsMainThread());
auto data = mThreadBoundData.Access();
nsresult rv;
nsCOMPtr<mozIStorageService> storage =
do_GetService(MOZ_STORAGE_SERVICE_CONTRACTID);
if (!storage) {
return NS_ERROR_UNEXPECTED;
}
// cache a connection to the hosts database
if (mMemoryOnlyDB) {
rv = storage->OpenSpecialDatabase(
kMozStorageMemoryStorageKey, VoidCString(),
mozIStorageService::CONNECTION_DEFAULT, getter_AddRefs(data->mDBConn));
} else {
rv = storage->OpenDatabase(aPermissionsFile,
mozIStorageService::CONNECTION_DEFAULT,
getter_AddRefs(data->mDBConn));
}
return rv;
}
void PermissionManager::InitDB(bool aRemoveFile) {
mState = eInitializing;
{
MonitorAutoLock lock(mMonitor);
mReadEntries.Clear();
}
auto readyIfFailed = MakeScopeExit([&]() {
// ignore failure here, since it's non-fatal (we can run fine without
// persistent storage - e.g. if there's no profile).
// XXX should we tell the user about this?
mState = eReady;
});
if (!mPermissionsFile) {
nsresult rv = NS_GetSpecialDirectory(NS_APP_PERMISSION_PARENT_DIR,
getter_AddRefs(mPermissionsFile));
if (NS_FAILED(rv)) {
rv = NS_GetSpecialDirectory(NS_APP_USER_PROFILE_50_DIR,
getter_AddRefs(mPermissionsFile));
if (NS_FAILED(rv)) {
return;
}
}
rv =
mPermissionsFile->AppendNative(nsLiteralCString(PERMISSIONS_FILE_NAME));
NS_ENSURE_SUCCESS_VOID(rv);
}
nsCOMPtr<nsIInputStream> defaultsInputStream = GetDefaultsInputStream();
RefPtr<PermissionManager> self = this;
mThread->Dispatch(NS_NewRunnableFunction(
"PermissionManager::InitDB", [self, aRemoveFile, defaultsInputStream] {
nsresult rv = self->TryInitDB(aRemoveFile, defaultsInputStream);
Unused << NS_WARN_IF(NS_FAILED(rv));
// This extra runnable calls EnsureReadCompleted to finialize the
// initialization. If there is something blocked by the monitor, it will
// be NOP.
NS_DispatchToMainThread(
NS_NewRunnableFunction("PermissionManager::InitDB-MainThread",
[self] { self->EnsureReadCompleted(); }));
self->mMonitor.Notify();
}));
readyIfFailed.release();
}
nsresult PermissionManager::TryInitDB(bool aRemoveFile,
nsIInputStream* aDefaultsInputStream) {
MOZ_ASSERT(!NS_IsMainThread());
MonitorAutoLock lock(mMonitor);
auto raii = MakeScopeExit([&]() {
if (aDefaultsInputStream) {
aDefaultsInputStream->Close();
}
mState = eDBInitialized;
});
auto data = mThreadBoundData.Access();
auto raiiFailure = MakeScopeExit([&]() {
if (data->mDBConn) {
DebugOnly<nsresult> rv = data->mDBConn->Close();
MOZ_ASSERT(NS_SUCCEEDED(rv));
data->mDBConn = nullptr;
}
});
nsresult rv;
if (aRemoveFile) {
bool exists = false;
rv = mPermissionsFile->Exists(&exists);
NS_ENSURE_SUCCESS(rv, rv);
if (exists) {
rv = mPermissionsFile->Remove(false);
NS_ENSURE_SUCCESS(rv, rv);
}
}
rv = OpenDatabase(mPermissionsFile);
if (rv == NS_ERROR_FILE_CORRUPTED) {
LogToConsole(u"permissions.sqlite is corrupted! Try again!"_ns);
// Add telemetry probe
Telemetry::Accumulate(Telemetry::PERMISSIONS_SQL_CORRUPTED, 1);
// delete corrupted permissions.sqlite and try again
rv = mPermissionsFile->Remove(false);
NS_ENSURE_SUCCESS(rv, rv);
LogToConsole(u"Corrupted permissions.sqlite has been removed."_ns);
rv = OpenDatabase(mPermissionsFile);
NS_ENSURE_SUCCESS(rv, rv);
LogToConsole(u"OpenDatabase to permissions.sqlite is successful!"_ns);
}
if (NS_WARN_IF(NS_FAILED(rv))) {
return rv;
}
bool ready;
data->mDBConn->GetConnectionReady(&ready);
if (!ready) {
LogToConsole(nsLiteralString(
u"Fail to get connection to permissions.sqlite! Try again!"));
// delete and try again
rv = mPermissionsFile->Remove(false);
NS_ENSURE_SUCCESS(rv, rv);
LogToConsole(u"Defective permissions.sqlite has been removed."_ns);
// Add telemetry probe
Telemetry::Accumulate(Telemetry::DEFECTIVE_PERMISSIONS_SQL_REMOVED, 1);
rv = OpenDatabase(mPermissionsFile);
NS_ENSURE_SUCCESS(rv, rv);
LogToConsole(u"OpenDatabase to permissions.sqlite is successful!"_ns);
data->mDBConn->GetConnectionReady(&ready);
if (!ready) return NS_ERROR_UNEXPECTED;
}
bool tableExists = false;
data->mDBConn->TableExists("moz_perms"_ns, &tableExists);
if (!tableExists) {
data->mDBConn->TableExists("moz_hosts"_ns, &tableExists);
}
if (!tableExists) {
rv = CreateTable();
NS_ENSURE_SUCCESS(rv, rv);
} else {
// table already exists; check the schema version before reading
int32_t dbSchemaVersion;
rv = data->mDBConn->GetSchemaVersion(&dbSchemaVersion);
NS_ENSURE_SUCCESS(rv, rv);
switch (dbSchemaVersion) {
// upgrading.
// every time you increment the database schema, you need to
// implement the upgrading code from the previous version to the
// new one. fall through to current version
case 1: {
// previous non-expiry version of database. Upgrade it by adding
// the expiration columns
rv = data->mDBConn->ExecuteSimpleSQL(
"ALTER TABLE moz_hosts ADD expireType INTEGER"_ns);
NS_ENSURE_SUCCESS(rv, rv);
rv = data->mDBConn->ExecuteSimpleSQL(
"ALTER TABLE moz_hosts ADD expireTime INTEGER"_ns);
NS_ENSURE_SUCCESS(rv, rv);
}
// fall through to the next upgrade
[[fallthrough]];
// TODO: we want to make default version as version 2 in order to
// fix bug 784875.
case 0:
case 2: {
// Add appId/isInBrowserElement fields.
rv = data->mDBConn->ExecuteSimpleSQL(
"ALTER TABLE moz_hosts ADD appId INTEGER"_ns);
NS_ENSURE_SUCCESS(rv, rv);
rv = data->mDBConn->ExecuteSimpleSQL(nsLiteralCString(
"ALTER TABLE moz_hosts ADD isInBrowserElement INTEGER"));
NS_ENSURE_SUCCESS(rv, rv);
rv = data->mDBConn->SetSchemaVersion(3);
NS_ENSURE_SUCCESS(rv, rv);
}
// fall through to the next upgrade
[[fallthrough]];
// Version 3->4 is the creation of the modificationTime field.
case 3: {
rv = data->mDBConn->ExecuteSimpleSQL(nsLiteralCString(
"ALTER TABLE moz_hosts ADD modificationTime INTEGER"));
NS_ENSURE_SUCCESS(rv, rv);
// We leave the modificationTime at zero for all existing records;
// using now() would mean, eg, that doing "remove all from the
// last hour" within the first hour after migration would remove
// all permissions.
rv = data->mDBConn->SetSchemaVersion(4);
NS_ENSURE_SUCCESS(rv, rv);
}
// fall through to the next upgrade
[[fallthrough]];
// In version 5, host appId, and isInBrowserElement were merged into
// a single origin entry
//
// In version 6, the tables were renamed for backwards compatability
// reasons with version 4 and earlier.
//
// In version 7, a bug in the migration used for version 4->5 was
// discovered which could have triggered data-loss. Because of that,
// all users with a version 4, 5, or 6 database will be re-migrated
// from the backup database. (bug 1186034). This migration bug is
// not present after bug 1185340, and the re-migration ensures that
// all users have the fix.
case 5:
// This branch could also be reached via dbSchemaVersion == 3, in
// which case we want to fall through to the dbSchemaVersion == 4
// case. The easiest way to do that is to perform this extra check
// here to make sure that we didn't get here via a fallthrough
// from v3
if (dbSchemaVersion == 5) {
// In version 5, the backup database is named moz_hosts_v4. We
// perform the version 5->6 migration to get the tables to have
// consistent naming conventions.
// Version 5->6 is the renaming of moz_hosts to moz_perms, and
// moz_hosts_v4 to moz_hosts (bug 1185343)
//
// In version 5, we performed the modifications to the
// permissions database in place, this meant that if you
// upgraded to a version which used V5, and then downgraded to a
// version which used v4 or earlier, the fallback path would
// drop the table, and your permissions data would be lost. This
// migration undoes that mistake, by restoring the old moz_hosts
// table (if it was present), and instead using the new table
// moz_perms for the new permissions schema.
//
// NOTE: If you downgrade, store new permissions, and then
// upgrade again, these new permissions won't be migrated or
// reflected in the updated database. This migration only occurs
// once, as if moz_perms exists, it will skip creating it. In
// addition, permissions added after the migration will not be
// visible in previous versions of firefox.
bool permsTableExists = false;
data->mDBConn->TableExists("moz_perms"_ns, &permsTableExists);
if (!permsTableExists) {
// Move the upgraded database to moz_perms
rv = data->mDBConn->ExecuteSimpleSQL(
"ALTER TABLE moz_hosts RENAME TO moz_perms"_ns);
NS_ENSURE_SUCCESS(rv, rv);
} else {
NS_WARNING(
"moz_hosts was not renamed to moz_perms, "
"as a moz_perms table already exists");
// In the situation where a moz_perms table already exists,
// but the schema is lower than 6, a migration has already
// previously occured to V6, but a downgrade has caused the
// moz_hosts table to be dropped. This should only occur in
// the case of a downgrade to a V5 database, which was only
// present in a few day's nightlies. As that version was
// likely used only on a temporary basis, we assume that the
// database from the previous V6 has the permissions which the
// user actually wants to use. We have to get rid of moz_hosts
// such that moz_hosts_v4 can be moved into its place if it
// exists.
rv = data->mDBConn->ExecuteSimpleSQL("DROP TABLE moz_hosts"_ns);
NS_ENSURE_SUCCESS(rv, rv);
}
#ifdef DEBUG
// The moz_hosts table shouldn't exist anymore
bool hostsTableExists = false;
data->mDBConn->TableExists("moz_hosts"_ns, &hostsTableExists);
MOZ_ASSERT(!hostsTableExists);
#endif
// Rename moz_hosts_v4 back to it's original location, if it
// exists
bool v4TableExists = false;
data->mDBConn->TableExists("moz_hosts_v4"_ns, &v4TableExists);
if (v4TableExists) {
rv = data->mDBConn->ExecuteSimpleSQL(nsLiteralCString(
"ALTER TABLE moz_hosts_v4 RENAME TO moz_hosts"));
NS_ENSURE_SUCCESS(rv, rv);
}
rv = data->mDBConn->SetSchemaVersion(6);
NS_ENSURE_SUCCESS(rv, rv);
}
// fall through to the next upgrade
[[fallthrough]];
// At this point, the version 5 table has been migrated to a version
// 6 table We are guaranteed to have at least one of moz_hosts and
// moz_perms. If we have moz_hosts, we will migrate moz_hosts into
// moz_perms (even if we already have a moz_perms, as we need a
// re-migration due to bug 1186034).
//
// After this migration, we are guaranteed to have both a moz_hosts
// (for backwards compatability), and a moz_perms table. The
// moz_hosts table will have a v4 schema, and the moz_perms table
// will have a v6 schema.
case 4:
case 6: {
bool hostsTableExists = false;
data->mDBConn->TableExists("moz_hosts"_ns, &hostsTableExists);
if (hostsTableExists) {
// Both versions 4 and 6 have a version 4 formatted hosts table
// named moz_hosts. We can migrate this table to our version 7
// table moz_perms. If moz_perms is present, then we can use it
// as a basis for comparison.
rv = data->mDBConn->BeginTransaction();
NS_ENSURE_SUCCESS(rv, rv);
bool tableExists = false;
data->mDBConn->TableExists("moz_hosts_new"_ns, &tableExists);
if (tableExists) {
NS_WARNING(
"The temporary database moz_hosts_new already exists, "
"dropping "
"it.");
rv = data->mDBConn->ExecuteSimpleSQL("DROP TABLE moz_hosts_new"_ns);
NS_ENSURE_SUCCESS(rv, rv);
}
rv = data->mDBConn->ExecuteSimpleSQL(
nsLiteralCString("CREATE TABLE moz_hosts_new ("
" id INTEGER PRIMARY KEY"
",origin TEXT"
",type TEXT"
",permission INTEGER"
",expireType INTEGER"
",expireTime INTEGER"
",modificationTime INTEGER"
")"));
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<mozIStorageStatement> stmt;
rv = data->mDBConn->CreateStatement(
nsLiteralCString(
"SELECT host, type, permission, expireType, "
"expireTime, "
"modificationTime, isInBrowserElement FROM moz_hosts"),
getter_AddRefs(stmt));
NS_ENSURE_SUCCESS(rv, rv);
int64_t id = 0;
bool hasResult;
while (NS_SUCCEEDED(stmt->ExecuteStep(&hasResult)) && hasResult) {
MigrationEntry entry;
// Read in the old row
rv = stmt->GetUTF8String(0, entry.mHost);
if (NS_WARN_IF(NS_FAILED(rv))) {
continue;
}
rv = stmt->GetUTF8String(1, entry.mType);
if (NS_WARN_IF(NS_FAILED(rv))) {
continue;
}
entry.mId = id++;
entry.mPermission = stmt->AsInt32(2);
entry.mExpireType = stmt->AsInt32(3);
entry.mExpireTime = stmt->AsInt64(4);
entry.mModificationTime = stmt->AsInt64(5);
mMigrationEntries.AppendElement(entry);
}
// We don't drop the moz_hosts table such that it is available
// for backwards-compatability and for future migrations in case
// of migration errors in the current code. Create a marker
// empty table which will indicate that the moz_hosts table is
// intended to act as a backup. If this table is not present,
// then the moz_hosts table was created as a random empty table.
rv = data->mDBConn->ExecuteSimpleSQL(
nsLiteralCString("CREATE TABLE moz_hosts_is_backup (dummy "
"INTEGER PRIMARY KEY)"));
NS_ENSURE_SUCCESS(rv, rv);
bool permsTableExists = false;
data->mDBConn->TableExists("moz_perms"_ns, &permsTableExists);
if (permsTableExists) {
// The user already had a moz_perms table, and we are
// performing a re-migration. We count the rows in the old
// table for telemetry, and then back up their old database as
// moz_perms_v6
nsCOMPtr<mozIStorageStatement> countStmt;
rv = data->mDBConn->CreateStatement(
"SELECT COUNT(*) FROM moz_perms"_ns, getter_AddRefs(countStmt));
bool hasResult = false;
if (NS_FAILED(rv) ||
NS_FAILED(countStmt->ExecuteStep(&hasResult)) || !hasResult) {
NS_WARNING("Could not count the rows in moz_perms");
}
// Back up the old moz_perms database as moz_perms_v6 before
// we move the new table into its position
rv = data->mDBConn->ExecuteSimpleSQL(nsLiteralCString(
"ALTER TABLE moz_perms RENAME TO moz_perms_v6"));
NS_ENSURE_SUCCESS(rv, rv);
}
rv = data->mDBConn->ExecuteSimpleSQL(nsLiteralCString(
"ALTER TABLE moz_hosts_new RENAME TO moz_perms"));
NS_ENSURE_SUCCESS(rv, rv);
rv = data->mDBConn->CommitTransaction();
NS_ENSURE_SUCCESS(rv, rv);
} else {
// We don't have a moz_hosts table, so we create one for
// downgrading purposes. This table is empty.
rv = data->mDBConn->ExecuteSimpleSQL(
nsLiteralCString("CREATE TABLE moz_hosts ("
" id INTEGER PRIMARY KEY"
",host TEXT"
",type TEXT"
",permission INTEGER"
",expireType INTEGER"
",expireTime INTEGER"
",modificationTime INTEGER"
",appId INTEGER"
",isInBrowserElement INTEGER"
")"));
NS_ENSURE_SUCCESS(rv, rv);
// We are guaranteed to have a moz_perms table at this point.
}
#ifdef DEBUG
{
// At this point, both the moz_hosts and moz_perms tables should
// exist
bool hostsTableExists = false;
bool permsTableExists = false;
data->mDBConn->TableExists("moz_hosts"_ns, &hostsTableExists);
data->mDBConn->TableExists("moz_perms"_ns, &permsTableExists);
MOZ_ASSERT(hostsTableExists && permsTableExists);
}
#endif
rv = data->mDBConn->SetSchemaVersion(7);
NS_ENSURE_SUCCESS(rv, rv);
}
// fall through to the next upgrade
[[fallthrough]];
// The version 7-8 migration is the re-migration of localhost and
// ip-address entries due to errors in the previous version 7
// migration which caused localhost and ip-address entries to be
// incorrectly discarded. The version 7 migration logic has been
// corrected, and thus this logic only needs to execute if the user
// is currently on version 7.
case 7: {
// This migration will be relatively expensive as we need to
// perform database lookups for each origin which we want to
// insert. Fortunately, it shouldn't be too expensive as we only
// want to insert a small number of entries created for localhost
// or IP addresses.
// We only want to perform the re-migration if moz_hosts is a
// backup
bool hostsIsBackupExists = false;
data->mDBConn->TableExists("moz_hosts_is_backup"_ns,
&hostsIsBackupExists);
// Only perform this migration if the original schema version was
// 7, and the moz_hosts table is a backup.
if (dbSchemaVersion == 7 && hostsIsBackupExists) {
nsCOMPtr<mozIStorageStatement> stmt;
rv = data->mDBConn->CreateStatement(
nsLiteralCString(
"SELECT host, type, permission, expireType, "
"expireTime, "
"modificationTime, isInBrowserElement FROM moz_hosts"),
getter_AddRefs(stmt));
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<mozIStorageStatement> idStmt;
rv = data->mDBConn->CreateStatement(
"SELECT MAX(id) FROM moz_hosts"_ns, getter_AddRefs(idStmt));
int64_t id = 0;
bool hasResult = false;
if (NS_SUCCEEDED(rv) &&
NS_SUCCEEDED(idStmt->ExecuteStep(&hasResult)) && hasResult) {
id = idStmt->AsInt32(0) + 1;
}
while (NS_SUCCEEDED(stmt->ExecuteStep(&hasResult)) && hasResult) {
MigrationEntry entry;
// Read in the old row
rv = stmt->GetUTF8String(0, entry.mHost);
if (NS_WARN_IF(NS_FAILED(rv))) {
continue;
}
nsAutoCString eTLD1;
rv = nsEffectiveTLDService::GetInstance()->GetBaseDomainFromHost(
entry.mHost, 0, eTLD1);
if (NS_SUCCEEDED(rv)) {
// We only care about entries which the tldService can't
// handle
continue;
}
rv = stmt->GetUTF8String(1, entry.mType);
if (NS_WARN_IF(NS_FAILED(rv))) {
continue;
}
entry.mId = id++;
entry.mPermission = stmt->AsInt32(2);
entry.mExpireType = stmt->AsInt32(3);
entry.mExpireTime = stmt->AsInt64(4);
entry.mModificationTime = stmt->AsInt64(5);
mMigrationEntries.AppendElement(entry);
}
}
// Even if we didn't perform the migration, we want to bump the
// schema version to 8.
rv = data->mDBConn->SetSchemaVersion(8);
NS_ENSURE_SUCCESS(rv, rv);
}
// fall through to the next upgrade
[[fallthrough]];
// The version 8-9 migration removes the unnecessary backup
// moz-hosts database contents. as the data no longer needs to be
// migrated
case 8: {
// We only want to clear out the old table if it is a backup. If
// it isn't a backup, we don't need to touch it.
bool hostsIsBackupExists = false;
data->mDBConn->TableExists("moz_hosts_is_backup"_ns,
&hostsIsBackupExists);
if (hostsIsBackupExists) {
// Delete everything from the backup, we want to keep around the
// table so that you can still downgrade and not break things,
// but we don't need to keep the rows around.
rv = data->mDBConn->ExecuteSimpleSQL("DELETE FROM moz_hosts"_ns);
NS_ENSURE_SUCCESS(rv, rv);
// The table is no longer a backup, so get rid of it.
rv = data->mDBConn->ExecuteSimpleSQL(
"DROP TABLE moz_hosts_is_backup"_ns);
NS_ENSURE_SUCCESS(rv, rv);
}
rv = data->mDBConn->SetSchemaVersion(9);
NS_ENSURE_SUCCESS(rv, rv);
}
// fall through to the next upgrade
[[fallthrough]];
case 9: {
rv = data->mDBConn->SetSchemaVersion(10);
NS_ENSURE_SUCCESS(rv, rv);
}
// fall through to the next upgrade
[[fallthrough]];
case 10: {
// Filter out the rows with storage access API permissions with a
// granted origin, and remove the granted origin part from the
// permission type.
rv = data->mDBConn->ExecuteSimpleSQL(nsLiteralCString(
"UPDATE moz_perms "
"SET type=SUBSTR(type, 0, INSTR(SUBSTR(type, INSTR(type, "
"'^') + "
"1), '^') + INSTR(type, '^')) "
"WHERE INSTR(SUBSTR(type, INSTR(type, '^') + 1), '^') AND "
"SUBSTR(type, 0, 18) == \"storageAccessAPI^\";"));
NS_ENSURE_SUCCESS(rv, rv);
rv = data->mDBConn->SetSchemaVersion(11);
NS_ENSURE_SUCCESS(rv, rv);
}
// fall through to the next upgrade
[[fallthrough]];
case 11: {
// Migrate 3rdPartyStorage keys to a site scope
rv = data->mDBConn->BeginTransaction();
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<mozIStorageStatement> updateStmt;
rv = data->mDBConn->CreateStatement(
nsLiteralCString("UPDATE moz_perms SET origin = ?2 WHERE id = ?1"),
getter_AddRefs(updateStmt));
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<mozIStorageStatement> deleteStmt;
rv = data->mDBConn->CreateStatement(
nsLiteralCString("DELETE FROM moz_perms WHERE id = ?1"),
getter_AddRefs(deleteStmt));
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<mozIStorageStatement> selectStmt;
rv = data->mDBConn->CreateStatement(
nsLiteralCString("SELECT id, origin, type FROM moz_perms WHERE "
" SUBSTR(type, 0, 17) == \"3rdPartyStorage^\""),
getter_AddRefs(selectStmt));
NS_ENSURE_SUCCESS(rv, rv);
nsTHashSet<nsCStringHashKey> deduplicationSet;
bool hasResult;
while (NS_SUCCEEDED(selectStmt->ExecuteStep(&hasResult)) && hasResult) {
int64_t id;
rv = selectStmt->GetInt64(0, &id);
NS_ENSURE_SUCCESS(rv, rv);
nsCString origin;
rv = selectStmt->GetUTF8String(1, origin);
NS_ENSURE_SUCCESS(rv, rv);
nsCString type;
rv = selectStmt->GetUTF8String(2, type);
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsIURI> uri;
rv = NS_NewURI(getter_AddRefs(uri), origin);
if (NS_FAILED(rv)) {
continue;
}
nsCString site;
rv = nsEffectiveTLDService::GetInstance()->GetSite(uri, site);
if (NS_WARN_IF(NS_FAILED(rv))) {
continue;
}
nsCString deduplicationKey =
nsPrintfCString("%s,%s", site.get(), type.get());
if (deduplicationSet.Contains(deduplicationKey)) {
rv = deleteStmt->BindInt64ByIndex(0, id);
NS_ENSURE_SUCCESS(rv, rv);
rv = deleteStmt->Execute();
NS_ENSURE_SUCCESS(rv, rv);
} else {
deduplicationSet.Insert(deduplicationKey);
rv = updateStmt->BindInt64ByIndex(0, id);
NS_ENSURE_SUCCESS(rv, rv);
rv = updateStmt->BindUTF8StringByIndex(1, site);
NS_ENSURE_SUCCESS(rv, rv);
rv = updateStmt->Execute();
NS_ENSURE_SUCCESS(rv, rv);
}
}
rv = data->mDBConn->CommitTransaction();
NS_ENSURE_SUCCESS(rv, rv);
rv = data->mDBConn->SetSchemaVersion(HOSTS_SCHEMA_VERSION);
NS_ENSURE_SUCCESS(rv, rv);
}
// fall through to the next upgrade
[[fallthrough]];
// current version.
case HOSTS_SCHEMA_VERSION:
break;
// downgrading.
// if columns have been added to the table, we can still use the
// ones we understand safely. if columns have been deleted or
// altered, just blow away the table and start from scratch! if you
// change the way a column is interpreted, make sure you also change
// its name so this check will catch it.
default: {
// check if all the expected columns exist
nsCOMPtr<mozIStorageStatement> stmt;
rv = data->mDBConn->CreateStatement(
nsLiteralCString("SELECT origin, type, permission, "
"expireType, expireTime, "
"modificationTime FROM moz_perms"),
getter_AddRefs(stmt));
if (NS_SUCCEEDED(rv)) break;
// our columns aren't there - drop the table!
rv = data->mDBConn->ExecuteSimpleSQL("DROP TABLE moz_perms"_ns);
NS_ENSURE_SUCCESS(rv, rv);
rv = CreateTable();
NS_ENSURE_SUCCESS(rv, rv);
} break;
}
}
// cache frequently used statements (for insertion, deletion, and
// updating)
rv = data->mDBConn->CreateStatement(
nsLiteralCString("INSERT INTO moz_perms "
"(id, origin, type, permission, expireType, "
"expireTime, modificationTime) "
"VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7)"),
getter_AddRefs(data->mStmtInsert));
NS_ENSURE_SUCCESS(rv, rv);
rv = data->mDBConn->CreateStatement(nsLiteralCString("DELETE FROM moz_perms "
"WHERE id = ?1"),
getter_AddRefs(data->mStmtDelete));
NS_ENSURE_SUCCESS(rv, rv);
rv = data->mDBConn->CreateStatement(
nsLiteralCString("UPDATE moz_perms "
"SET permission = ?2, expireType= ?3, expireTime = "
"?4, modificationTime = ?5 WHERE id = ?1"),
getter_AddRefs(data->mStmtUpdate));
NS_ENSURE_SUCCESS(rv, rv);
// Always import default permissions.
ConsumeDefaultsInputStream(aDefaultsInputStream, lock);
// check whether to import or just read in the db
if (tableExists) {
rv = Read(lock);
NS_ENSURE_SUCCESS(rv, rv);
}
raiiFailure.release();
return NS_OK;
}
void PermissionManager::AddIdleDailyMaintenanceJob() {
MOZ_ASSERT(NS_IsMainThread());
nsCOMPtr<nsIObserverService> observerService = services::GetObserverService();
NS_ENSURE_TRUE_VOID(observerService);
nsresult rv =
observerService->AddObserver(this, OBSERVER_TOPIC_IDLE_DAILY, false);
NS_ENSURE_SUCCESS_VOID(rv);
}
void PermissionManager::RemoveIdleDailyMaintenanceJob() {
MOZ_ASSERT(NS_IsMainThread());
nsCOMPtr<nsIObserverService> observerService = services::GetObserverService();
NS_ENSURE_TRUE_VOID(observerService);
nsresult rv =
observerService->RemoveObserver(this, OBSERVER_TOPIC_IDLE_DAILY);
NS_ENSURE_SUCCESS_VOID(rv);
}
void PermissionManager::PerformIdleDailyMaintenance() {
MOZ_ASSERT(NS_IsMainThread());
RefPtr<PermissionManager> self = this;
mThread->Dispatch(NS_NewRunnableFunction(
"PermissionManager::PerformIdleDailyMaintenance", [self] {
auto data = self->mThreadBoundData.Access();
if (self->mState == eClosed || !data->mDBConn) {
return;
}
nsCOMPtr<mozIStorageStatement> stmtDeleteExpired;
nsresult rv = data->mDBConn->CreateStatement(
nsLiteralCString("DELETE FROM moz_perms WHERE expireType = "
"?1 AND expireTime <= ?2"),
getter_AddRefs(stmtDeleteExpired));
NS_ENSURE_SUCCESS_VOID(rv);
rv = stmtDeleteExpired->BindInt32ByIndex(
0, nsIPermissionManager::EXPIRE_TIME);
NS_ENSURE_SUCCESS_VOID(rv);
rv = stmtDeleteExpired->BindInt64ByIndex(1, EXPIRY_NOW);
NS_ENSURE_SUCCESS_VOID(rv);
rv = stmtDeleteExpired->Execute();
NS_ENSURE_SUCCESS_VOID(rv);
}));
}
// sets the schema version and creates the moz_perms table.
nsresult PermissionManager::CreateTable() {
MOZ_ASSERT(!NS_IsMainThread());
auto data = mThreadBoundData.Access();
// set the schema version, before creating the table
nsresult rv = data->mDBConn->SetSchemaVersion(HOSTS_SCHEMA_VERSION);
if (NS_FAILED(rv)) return rv;
// create the table
// SQL also lives in automation.py.in. If you change this SQL change that
// one too
rv = data->mDBConn->ExecuteSimpleSQL(
nsLiteralCString("CREATE TABLE moz_perms ("
" id INTEGER PRIMARY KEY"
",origin TEXT"
",type TEXT"
",permission INTEGER"
",expireType INTEGER"
",expireTime INTEGER"
",modificationTime INTEGER"
")"));
if (NS_FAILED(rv)) return rv;
// We also create a legacy V4 table, for backwards compatability,
// and to ensure that downgrades don't trigger a schema version change.
return data->mDBConn->ExecuteSimpleSQL(
nsLiteralCString("CREATE TABLE moz_hosts ("
" id INTEGER PRIMARY KEY"
",host TEXT"
",type TEXT"
",permission INTEGER"
",expireType INTEGER"
",expireTime INTEGER"
",modificationTime INTEGER"
",isInBrowserElement INTEGER"
")"));
}
// Returns whether the given combination of expire type and expire time are
// expired. Note that EXPIRE_SESSION only honors expireTime if it is nonzero.
bool PermissionManager::HasExpired(uint32_t aExpireType, int64_t aExpireTime) {
return (aExpireType == nsIPermissionManager::EXPIRE_TIME ||
(aExpireType == nsIPermissionManager::EXPIRE_SESSION &&
aExpireTime != 0)) &&
aExpireTime <= EXPIRY_NOW;
}
NS_IMETHODIMP
PermissionManager::AddFromPrincipalAndPersistInPrivateBrowsing(
nsIPrincipal* aPrincipal, const nsACString& aType, uint32_t aPermission) {
ENSURE_NOT_CHILD_PROCESS;
bool isValidPermissionPrincipal = false;
nsresult rv = ShouldHandlePrincipalForPermission(aPrincipal,
isValidPermissionPrincipal);
NS_ENSURE_SUCCESS(rv, rv);
if (!isValidPermissionPrincipal) {
// return early if the principal is invalid for permissions
return rv;
}
// A modificationTime of zero will cause AddInternal to use now().
int64_t modificationTime = 0;
return AddInternal(aPrincipal, aType, aPermission, 0,
nsIPermissionManager::EXPIRE_NEVER,
/* aExpireTime */ 0, modificationTime, eNotify, eWriteToDB,
/* aIgnoreSessionPermissions */ false,
/* aOriginString*/ nullptr,
/* aAllowPersistInPrivateBrowsing */ true);
}
NS_IMETHODIMP
PermissionManager::AddDefaultFromPrincipal(nsIPrincipal* aPrincipal,
const nsACString& aType,
uint32_t aPermission) {
ENSURE_NOT_CHILD_PROCESS;
MOZ_ASSERT(mState == eReady);
bool isValidPermissionPrincipal = false;
nsresult rv = ShouldHandlePrincipalForPermission(aPrincipal,
isValidPermissionPrincipal);
NS_ENSURE_SUCCESS(rv, rv);
if (!isValidPermissionPrincipal) {
// return early if the principal is invalid for permissions
return rv;
}
nsCString origin;
rv = GetOriginFromPrincipal(aPrincipal, IsOAForceStripPermission(aType),
origin);
NS_ENSURE_SUCCESS(rv, rv);
DefaultEntry entry;
{
// Lock for mDefaultEntriesForImport
MonitorAutoLock lock(mMonitor);
// Try to update existing entry in mDefaultEntriesForImport, which will
// later be used to restore the default permissions when permissions are
// cleared
bool updatedExistingEntry = false;
nsTArray<DefaultEntry>::iterator defaultEntry =
mDefaultEntriesForImport.begin();
while (defaultEntry != mDefaultEntriesForImport.end()) {
if (defaultEntry->mType == aType && defaultEntry->mOrigin == origin) {
defaultEntry->mPermission = aPermission;
entry = *defaultEntry;
if (aPermission == nsIPermissionManager::UNKNOWN_ACTION) {
mDefaultEntriesForImport.RemoveElementAt(defaultEntry);
}
updatedExistingEntry = true;
break;
}
++defaultEntry;
}
// Or add a new entry if there wasn't already one and we aren't deleting the
// default permission
if (!updatedExistingEntry) {
entry.mOrigin = origin;
entry.mPermission = aPermission;
entry.mType = aType;
if (aPermission != nsIPermissionManager::UNKNOWN_ACTION) {
mDefaultEntriesForImport.AppendElement(entry);
}
}
}
// So far, we have only updated mDefaultEntriesForImport for later recovery.
// Now, we actually need to import this change into the permission manager.
return ImportDefaultEntry(entry);
}
NS_IMETHODIMP
PermissionManager::AddFromPrincipal(nsIPrincipal* aPrincipal,
const nsACString& aType,
uint32_t aPermission, uint32_t aExpireType,
int64_t aExpireTime) {
ENSURE_NOT_CHILD_PROCESS;
NS_ENSURE_TRUE(aExpireType == nsIPermissionManager::EXPIRE_NEVER ||
aExpireType == nsIPermissionManager::EXPIRE_TIME ||
aExpireType == nsIPermissionManager::EXPIRE_SESSION ||
aExpireType == nsIPermissionManager::EXPIRE_POLICY,
NS_ERROR_INVALID_ARG);
// Skip addition if the permission is already expired.
if (HasExpired(aExpireType, aExpireTime)) {
return NS_OK;
}
bool isValidPermissionPrincipal = false;
nsresult rv = ShouldHandlePrincipalForPermission(aPrincipal,
isValidPermissionPrincipal);
NS_ENSURE_SUCCESS(rv, rv);
if (!isValidPermissionPrincipal) {
// return early if the principal is invalid for permissions
return rv;
}
// A modificationTime of zero will cause AddInternal to use now().
int64_t modificationTime = 0;
return AddInternal(aPrincipal, aType, aPermission, 0, aExpireType,
aExpireTime, modificationTime, eNotify, eWriteToDB);
}
NS_IMETHODIMP
PermissionManager::TestAddFromPrincipalByTime(nsIPrincipal* aPrincipal,
const nsACString& aType,
uint32_t aPermission,
int64_t aModificationTime) {
ENSURE_NOT_CHILD_PROCESS;
bool isValidPermissionPrincipal = false;
nsresult rv = ShouldHandlePrincipalForPermission(aPrincipal,
isValidPermissionPrincipal);
NS_ENSURE_SUCCESS(rv, rv);
if (!isValidPermissionPrincipal) {
// return early if the principal is invalid for permissions
return rv;
}
return AddInternal(aPrincipal, aType, aPermission, 0,
nsIPermissionManager::EXPIRE_NEVER, 0, aModificationTime,
eNotify, eWriteToDB);
}
nsresult PermissionManager::AddInternal(
nsIPrincipal* aPrincipal, const nsACString& aType, uint32_t aPermission,
int64_t aID, uint32_t aExpireType, int64_t aExpireTime,
int64_t aModificationTime, NotifyOperationType aNotifyOperation,
DBOperationType aDBOperation, const bool aIgnoreSessionPermissions,
const nsACString* aOriginString,
const bool aAllowPersistInPrivateBrowsing) {
MOZ_ASSERT(NS_IsMainThread());
// If this is a default permission, no changes should not be written to disk.
MOZ_ASSERT((aID != cIDPermissionIsDefault) || (aDBOperation != eWriteToDB));
EnsureReadCompleted();
nsresult rv = NS_OK;
nsAutoCString origin;
// Only attempt to compute the origin string when it is going to be needed
// later on in the function.
if (!IsChildProcess() ||
(aDBOperation == eWriteToDB && IsPersistentExpire(aExpireType, aType))) {
if (aOriginString) {
// Use the origin string provided by the caller.
origin = *aOriginString;
} else {
if (IsSiteScopedPermission(aType)) {
rv = GetSiteFromPrincipal(aPrincipal, IsOAForceStripPermission(aType),
origin);
} else {
// Compute it from the principal provided.
rv = GetOriginFromPrincipal(aPrincipal, IsOAForceStripPermission(aType),
origin);
}
NS_ENSURE_SUCCESS(rv, rv);
}
}
// Unless the caller sets aAllowPersistInPrivateBrowsing, only store
// permissions for the session in Private Browsing. Except for default
// permissions which are stored in-memory only and imported each startup. We
// also allow setting persistent UKNOWN_ACTION, to support removing default
// private browsing permissions.
if (!aAllowPersistInPrivateBrowsing && aID != cIDPermissionIsDefault &&
aPermission != UNKNOWN_ACTION && aExpireType != EXPIRE_SESSION) {
uint32_t privateBrowsingId =
nsScriptSecurityManager::DEFAULT_PRIVATE_BROWSING_ID;
nsresult rv = aPrincipal->GetPrivateBrowsingId(&privateBrowsingId);
if (NS_SUCCEEDED(rv) &&
privateBrowsingId !=
nsScriptSecurityManager::DEFAULT_PRIVATE_BROWSING_ID) {
aExpireType = EXPIRE_SESSION;
}
}
// Let's send the new permission to the content process only if it has to be
// notified.
if (!IsChildProcess() && aNotifyOperation == eNotify) {
IPC::Permission permission(origin, aType, aPermission, aExpireType,
aExpireTime);
nsAutoCString permissionKey;
GetKeyForPermission(aPrincipal, aType, permissionKey);
bool isSecondaryKeyed;
nsAutoCString secondaryKey;
isSecondaryKeyed = GetSecondaryKey(aType, secondaryKey);
if (isSecondaryKeyed) {
NotifySecondaryKeyPermissionUpdateInContentProcess(
aType, aPermission, secondaryKey, aPrincipal);
}
nsTArray<ContentParent*> cplist;
ContentParent::GetAll(cplist);
for (uint32_t i = 0; i < cplist.Length(); ++i) {
ContentParent* cp = cplist[i];
if (cp->NeedsPermissionsUpdate(permissionKey)) {
Unused << cp->SendAddPermission(permission);
}
}
}
MOZ_ASSERT(PermissionAvailable(aPrincipal, aType));
// look up the type index
int32_t typeIndex = GetTypeIndex(aType, true);
NS_ENSURE_TRUE(typeIndex != -1, NS_ERROR_OUT_OF_MEMORY);
// When an entry already exists, PutEntry will return that, instead
// of adding a new one
RefPtr<PermissionKey> key = PermissionKey::CreateFromPrincipal(
aPrincipal, IsOAForceStripPermission(aType),
IsSiteScopedPermission(aType), rv);
if (!key) {
MOZ_ASSERT(NS_FAILED(rv));
return rv;
}
PermissionHashKey* entry = mPermissionTable.PutEntry(key);
if (!entry) return NS_ERROR_FAILURE;
if (!entry->GetKey()) {
mPermissionTable.RemoveEntry(entry);
return NS_ERROR_OUT_OF_MEMORY;
}
// figure out the transaction type, and get any existing permission value
OperationType op;
int32_t index = entry->GetPermissionIndex(typeIndex);
if (index == -1) {
if (aPermission == nsIPermissionManager::UNKNOWN_ACTION)
op = eOperationNone;
else
op = eOperationAdding;
} else {
PermissionEntry oldPermissionEntry = entry->GetPermissions()[index];
// remove the permission if the permission is UNKNOWN, update the
// permission if its value or expire type have changed OR if the time has
// changed and the expire type is time, otherwise, don't modify. There's
// no need to modify a permission that doesn't expire with time when the
// only thing changed is the expire time.
if (aPermission == oldPermissionEntry.mPermission &&
aExpireType == oldPermissionEntry.mExpireType &&
(aExpireType == nsIPermissionManager::EXPIRE_NEVER ||
aExpireTime == oldPermissionEntry.mExpireTime)) {
op = eOperationNone;
} else if (oldPermissionEntry.mID == cIDPermissionIsDefault &&
aID != cIDPermissionIsDefault) {
// An existing default permission already exists, but the new permission
// isn't a default permission. This case requires some special handing.
op = eOperationReplacingDefault;
} else if (oldPermissionEntry.mID != cIDPermissionIsDefault &&
aID == cIDPermissionIsDefault) {
// We are adding a default permission but a "real" permission already
// exists. This means we don't have to do anything here.
op = eOperationNone;
} else if (aPermission == nsIPermissionManager::UNKNOWN_ACTION) {
// At this point, both the old and new permission are either both default
// permissions, or both not default permissions. Now we only need to check
// wether to change or remove the old permission.
op = eOperationRemoving;
} else {
op = eOperationChanging;
}
}
// child processes should *always* be passed a modificationTime of zero.
MOZ_ASSERT(!IsChildProcess() || aModificationTime == 0);
// do the work for adding, deleting, or changing a permission:
// update the in-memory list, write to the db, and notify consumers.
int64_t id;
if (aModificationTime == 0) {
aModificationTime = EXPIRY_NOW;
}
switch (op) {
case eOperationNone: {
// nothing to do
return NS_OK;
}
case eOperationAdding: {
if (aDBOperation == eWriteToDB) {
// we'll be writing to the database - generate a known unique id
id = ++mLargestID;
} else {
// we're reading from the database - use the id already assigned
id = aID;
}
entry->GetPermissions().AppendElement(
PermissionEntry(id, typeIndex, aPermission, aExpireType, aExpireTime,
aModificationTime));
if (aDBOperation == eWriteToDB &&
IsPersistentExpire(aExpireType, aType)) {
UpdateDB(op, id, origin, aType, aPermission, aExpireType, aExpireTime,
aModificationTime);
}
if (aNotifyOperation == eNotify) {
NotifyObserversWithPermission(aPrincipal, mTypeArray[typeIndex],
aPermission, aExpireType, aExpireTime,
aModificationTime, u"added");
}
break;
}
case eOperationRemoving: {
PermissionEntry oldPermissionEntry = entry->GetPermissions()[index];
id = oldPermissionEntry.mID;
// If the type we want to remove is EXPIRE_POLICY, we need to reject
// attempts to change the permission.
if (entry->GetPermissions()[index].mExpireType == EXPIRE_POLICY) {
NS_WARNING("Attempting to remove EXPIRE_POLICY permission");
break;
}
entry->GetPermissions().RemoveElementAt(index);
if (aDBOperation == eWriteToDB)
// We care only about the id here so we pass dummy values for all other
// parameters.
UpdateDB(op, id, ""_ns, ""_ns, 0, nsIPermissionManager::EXPIRE_NEVER, 0,
0);
if (aNotifyOperation == eNotify) {
NotifyObserversWithPermission(
aPrincipal, mTypeArray[typeIndex], oldPermissionEntry.mPermission,
oldPermissionEntry.mExpireType, oldPermissionEntry.mExpireTime,
oldPermissionEntry.mModificationTime, u"deleted");
}
// If there are no more permissions stored for that entry, clear it.
if (entry->GetPermissions().IsEmpty()) {
mPermissionTable.RemoveEntry(entry);
}
// If the entry we are removing is not a default, restore the potential
// default entry in-memory
if (oldPermissionEntry.mID != cIDPermissionIsDefault) {
for (const DefaultEntry& defaultEntry : mDefaultEntriesForImport) {
if (defaultEntry.mType == aType && defaultEntry.mOrigin == origin &&
defaultEntry.mPermission !=
nsIPermissionManager::UNKNOWN_ACTION) {
rv = ImportDefaultEntry(defaultEntry);
NS_ENSURE_SUCCESS(rv, rv);
break;
}
}
}
break;
}
case eOperationChanging: {
id = entry->GetPermissions()[index].mID;
// If the existing type is EXPIRE_POLICY, we need to reject attempts to
// change the permission.
if (entry->GetPermissions()[index].mExpireType == EXPIRE_POLICY) {
NS_WARNING("Attempting to modify EXPIRE_POLICY permission");
break;
}
PermissionEntry oldPermissionEntry = entry->GetPermissions()[index];
// If the new expireType is EXPIRE_SESSION, then we have to keep a
// copy of the previous permission/expireType values. This cached value
// will be used when restoring the permissions of an app.
if (entry->GetPermissions()[index].mExpireType !=
nsIPermissionManager::EXPIRE_SESSION &&
aExpireType == nsIPermissionManager::EXPIRE_SESSION) {
entry->GetPermissions()[index].mNonSessionPermission =
entry->GetPermissions()[index].mPermission;
entry->GetPermissions()[index].mNonSessionExpireType =
entry->GetPermissions()[index].mExpireType;
entry->GetPermissions()[index].mNonSessionExpireTime =
entry->GetPermissions()[index].mExpireTime;
} else if (aExpireType != nsIPermissionManager::EXPIRE_SESSION) {
entry->GetPermissions()[index].mNonSessionPermission = aPermission;
entry->GetPermissions()[index].mNonSessionExpireType = aExpireType;
entry->GetPermissions()[index].mNonSessionExpireTime = aExpireTime;
}
entry->GetPermissions()[index].mPermission = aPermission;
entry->GetPermissions()[index].mExpireType = aExpireType;
entry->GetPermissions()[index].mExpireTime = aExpireTime;
entry->GetPermissions()[index].mModificationTime = aModificationTime;
if (aDBOperation == eWriteToDB) {
bool newIsPersistentExpire = IsPersistentExpire(aExpireType, aType);
bool oldIsPersistentExpire =
IsPersistentExpire(oldPermissionEntry.mExpireType, aType);
if (!newIsPersistentExpire && oldIsPersistentExpire) {
// Maybe we have to remove the previous permission if that was
// persistent.
UpdateDB(eOperationRemoving, id, ""_ns, ""_ns, 0,
nsIPermissionManager::EXPIRE_NEVER, 0, 0);
} else if (newIsPersistentExpire && !oldIsPersistentExpire) {
// It could also be that the previous permission was session-only but
// this needs to be written into the DB. In this case, we have to run
// an Adding operation.
UpdateDB(eOperationAdding, id, origin, aType, aPermission,
aExpireType, aExpireTime, aModificationTime);
} else if (newIsPersistentExpire) {
// This is the a simple update. We care only about the id, the
// permission and expireType/expireTime/modificationTime here. We pass
// dummy values for all other parameters.
UpdateDB(op, id, ""_ns, ""_ns, aPermission, aExpireType, aExpireTime,
aModificationTime);
}
}
if (aNotifyOperation == eNotify) {
NotifyObserversWithPermission(aPrincipal, mTypeArray[typeIndex],
aPermission, aExpireType, aExpireTime,
aModificationTime, u"changed");
}
break;
}
case eOperationReplacingDefault: {
// this is handling the case when we have an existing permission
// entry that was created as a "default" (and thus isn't in the DB) with
// an explicit permission (that may include UNKNOWN_ACTION.)
// Note we will *not* get here if we are replacing an already replaced
// default value - that is handled as eOperationChanging.
// So this is a hybrid of eOperationAdding (as we are writing a new entry
// to the DB) and eOperationChanging (as we are replacing the in-memory
// repr and sending a "changed" notification).
// We want a new ID even if not writing to the DB, so the modified entry
// in memory doesn't have the magic cIDPermissionIsDefault value.
id = ++mLargestID;
// The default permission being replaced can't have session expiry or
// policy expiry.
NS_ENSURE_TRUE(entry->GetPermissions()[index].mExpireType !=
nsIPermissionManager::EXPIRE_SESSION,
NS_ERROR_UNEXPECTED);
NS_ENSURE_TRUE(entry->GetPermissions()[index].mExpireType !=
nsIPermissionManager::EXPIRE_POLICY,
NS_ERROR_UNEXPECTED);
// We don't support the new entry having any expiry - supporting that
// would make things far more complex and none of the permissions we set
// as a default support that.
NS_ENSURE_TRUE(aExpireType == EXPIRE_NEVER, NS_ERROR_UNEXPECTED);
// update the existing entry in memory.
entry->GetPermissions()[index].mID = id;
entry->GetPermissions()[index].mPermission = aPermission;
entry->GetPermissions()[index].mExpireType = aExpireType;
entry->GetPermissions()[index].mExpireTime = aExpireTime;
entry->GetPermissions()[index].mModificationTime = aModificationTime;
// If requested, create the entry in the DB.
if (aDBOperation == eWriteToDB &&
IsPersistentExpire(aExpireType, aType)) {
UpdateDB(eOperationAdding, id, origin, aType, aPermission, aExpireType,
aExpireTime, aModificationTime);
}
if (aNotifyOperation == eNotify) {
NotifyObserversWithPermission(aPrincipal, mTypeArray[typeIndex],
aPermission, aExpireType, aExpireTime,
aModificationTime, u"changed");
}
} break;
}
return NS_OK;
}
NS_IMETHODIMP
PermissionManager::RemoveFromPrincipal(nsIPrincipal* aPrincipal,
const nsACString& aType) {
ENSURE_NOT_CHILD_PROCESS;
NS_ENSURE_ARG_POINTER(aPrincipal);
// System principals are never added to the database, no need to remove them.
if (aPrincipal->IsSystemPrincipal()) {
return NS_OK;
}
// Permissions may not be added to expanded principals.
if (IsExpandedPrincipal(aPrincipal)) {
return NS_ERROR_INVALID_ARG;
}
// AddInternal() handles removal, just let it do the work
return AddInternal(aPrincipal, aType, nsIPermissionManager::UNKNOWN_ACTION, 0,
nsIPermissionManager::EXPIRE_NEVER, 0, 0, eNotify,
eWriteToDB);
}
NS_IMETHODIMP
PermissionManager::RemovePermission(nsIPermission* aPerm) {
if (!aPerm) {
return NS_OK;
}
nsCOMPtr<nsIPrincipal> principal;
nsresult rv = aPerm->GetPrincipal(getter_AddRefs(principal));
NS_ENSURE_SUCCESS(rv, rv);
nsAutoCString type;
rv = aPerm->GetType(type);
NS_ENSURE_SUCCESS(rv, rv);
// Permissions are uniquely identified by their principal and type.
// We remove the permission using these two pieces of data.
return RemoveFromPrincipal(principal, type);
}
NS_IMETHODIMP
PermissionManager::RemoveAll() {
ENSURE_NOT_CHILD_PROCESS;
return RemoveAllInternal(true);
}
NS_IMETHODIMP
PermissionManager::RemoveAllSince(int64_t aSince) {
ENSURE_NOT_CHILD_PROCESS;
return RemoveAllModifiedSince(aSince);
}
NS_IMETHODIMP
PermissionManager::RemoveAllExceptTypes(
const nsTArray<nsCString>& aTypeExceptions) {
ENSURE_NOT_CHILD_PROCESS;
// Need to make sure read is done before we get the type index. Type indexes
// are populated from DB.
EnsureReadCompleted();
if (aTypeExceptions.IsEmpty()) {
return RemoveAllInternal(true);
}
return RemovePermissionEntries([&](const PermissionEntry& aPermEntry) {
return !aTypeExceptions.Contains(mTypeArray[aPermEntry.mType]);
});
}
template <class T>
nsresult PermissionManager::RemovePermissionEntries(T aCondition) {
EnsureReadCompleted();
Vector<std::tuple<nsCOMPtr<nsIPrincipal>, nsCString, nsCString>, 10> array;
for (const PermissionHashKey& entry : mPermissionTable) {
for (const auto& permEntry : entry.GetPermissions()) {
if (!aCondition(permEntry)) {
continue;
}
nsCOMPtr<nsIPrincipal> principal;
nsresult rv = GetPrincipalFromOrigin(
entry.GetKey()->mOrigin,
IsOAForceStripPermission(mTypeArray[permEntry.mType]),
getter_AddRefs(principal));
if (NS_FAILED(rv)) {
continue;
}
if (!array.emplaceBack(principal, mTypeArray[permEntry.mType],
entry.GetKey()->mOrigin)) {
continue;
}
}
}
for (auto& i : array) {
// AddInternal handles removal, so let it do the work...
AddInternal(
std::get<0>(i), std::get<1>(i), nsIPermissionManager::UNKNOWN_ACTION, 0,
nsIPermissionManager::EXPIRE_NEVER, 0, 0, PermissionManager::eNotify,
PermissionManager::eWriteToDB, false, &std::get<2>(i));
}
return NS_OK;
}
NS_IMETHODIMP
PermissionManager::RemoveByType(const nsACString& aType) {
ENSURE_NOT_CHILD_PROCESS;
// Need to make sure read is done before we get the type index. Type indexes
// are populated from DB.
EnsureReadCompleted();
int32_t typeIndex = GetTypeIndex(aType, false);
// If type == -1, the type isn't known,
// so just return NS_OK
if (typeIndex == -1) {
return NS_OK;
}
return RemovePermissionEntries(
[typeIndex](const PermissionEntry& aPermEntry) {
return static_cast<uint32_t>(typeIndex) == aPermEntry.mType;
});
}
NS_IMETHODIMP
PermissionManager::RemoveByTypeSince(const nsACString& aType,
int64_t aModificationTime) {
ENSURE_NOT_CHILD_PROCESS;
// Need to make sure read is done before we get the type index. Type indexes
// are populated from DB.
EnsureReadCompleted();
int32_t typeIndex = GetTypeIndex(aType, false);
// If type == -1, the type isn't known,
// so just return NS_OK
if (typeIndex == -1) {
return NS_OK;
}
return RemovePermissionEntries(
[typeIndex, aModificationTime](const PermissionEntry& aPermEntry) {
return uint32_t(typeIndex) == aPermEntry.mType &&
aModificationTime <= aPermEntry.mModificationTime;
});
}
NS_IMETHODIMP
PermissionManager::RemoveAllSinceWithTypeExceptions(
int64_t aModificationTime, const nsTArray<nsCString>& aTypeExceptions) {
ENSURE_NOT_CHILD_PROCESS;
// Need to make sure read is done before we get the type index. Type indexes
// are populated from DB.
EnsureReadCompleted();
return RemovePermissionEntries([&](const PermissionEntry& aPermEntry) {
return !aTypeExceptions.Contains(mTypeArray[aPermEntry.mType]) &&
aModificationTime <= aPermEntry.mModificationTime;
});
}
void PermissionManager::CloseDB(CloseDBNextOp aNextOp) {
EnsureReadCompleted();
mState = eClosed;
nsCOMPtr<nsIInputStream> defaultsInputStream;
if (aNextOp == eRebuldOnSuccess) {
defaultsInputStream = GetDefaultsInputStream();
}
RefPtr<PermissionManager> self = this;
mThread->Dispatch(NS_NewRunnableFunction(
"PermissionManager::CloseDB", [self, aNextOp, defaultsInputStream] {
auto data = self->mThreadBoundData.Access();
// Null the statements, this will finalize them.
data->mStmtInsert = nullptr;
data->mStmtDelete = nullptr;
data->mStmtUpdate = nullptr;
if (data->mDBConn) {
DebugOnly<nsresult> rv = data->mDBConn->Close();
MOZ_ASSERT(NS_SUCCEEDED(rv));
data->mDBConn = nullptr;
if (aNextOp == eRebuldOnSuccess) {
self->TryInitDB(true, defaultsInputStream);
}
}
if (aNextOp == eShutdown) {
NS_DispatchToMainThread(NS_NewRunnableFunction(
"PermissionManager::MaybeCompleteShutdown",
[self] { self->MaybeCompleteShutdown(); }));
}
}));
}
nsresult PermissionManager::RemoveAllFromIPC() {
MOZ_ASSERT(IsChildProcess());
// Remove from memory and notify immediately. Since the in-memory
// database is authoritative, we do not need confirmation from the
// on-disk database to notify observers.
RemoveAllFromMemory();
return NS_OK;
}
nsresult PermissionManager::RemoveAllInternal(bool aNotifyObservers) {
ENSURE_NOT_CHILD_PROCESS;
EnsureReadCompleted();
// Let's broadcast the removeAll() to any content process.
nsTArray<ContentParent*> parents;
ContentParent::GetAll(parents);
for (ContentParent* parent : parents) {
Unused << parent->SendRemoveAllPermissions();
}
// Remove from memory and notify immediately. Since the in-memory
// database is authoritative, we do not need confirmation from the
// on-disk database to notify observers.
RemoveAllFromMemory();
// Re-import the defaults
ImportLatestDefaults();
if (aNotifyObservers) {
NotifyObservers(nullptr, u"cleared");
}
RefPtr<PermissionManager> self = this;
mThread->Dispatch(
NS_NewRunnableFunction("PermissionManager::RemoveAllInternal", [self] {
auto data = self->mThreadBoundData.Access();
if (self->mState == eClosed || !data->mDBConn) {
return;
}
// clear the db
nsresult rv =
data->mDBConn->ExecuteSimpleSQL("DELETE FROM moz_perms"_ns);
if (NS_WARN_IF(NS_FAILED(rv))) {
NS_DispatchToMainThread(NS_NewRunnableFunction(
"PermissionManager::RemoveAllInternal-Failure",
[self] { self->CloseDB(eRebuldOnSuccess); }));
}
}));
return NS_OK;
}
NS_IMETHODIMP
PermissionManager::TestExactPermissionFromPrincipal(nsIPrincipal* aPrincipal,
const nsACString& aType,
uint32_t* aPermission) {
return CommonTestPermission(aPrincipal, -1, aType, aPermission,
nsIPermissionManager::UNKNOWN_ACTION, false, true,
true);
}
NS_IMETHODIMP
PermissionManager::TestExactPermanentPermission(nsIPrincipal* aPrincipal,
const nsACString& aType,
uint32_t* aPermission) {
return CommonTestPermission(aPrincipal, -1, aType, aPermission,
nsIPermissionManager::UNKNOWN_ACTION, false, true,
false);
}
NS_IMETHODIMP
PermissionManager::TestPermissionFromPrincipal(nsIPrincipal* aPrincipal,
const nsACString& aType,
uint32_t* aPermission) {
return CommonTestPermission(aPrincipal, -1, aType, aPermission,
nsIPermissionManager::UNKNOWN_ACTION, false,
false, true);
}
NS_IMETHODIMP
PermissionManager::GetPermissionObject(nsIPrincipal* aPrincipal,
const nsACString& aType,
bool aExactHostMatch,
nsIPermission** aResult) {
NS_ENSURE_ARG_POINTER(aPrincipal);
*aResult = nullptr;
EnsureReadCompleted();
if (aPrincipal->IsSystemPrincipal()) {
return NS_OK;
}
// Querying the permission object of an nsEP is non-sensical.
if (IsExpandedPrincipal(aPrincipal)) {
return NS_ERROR_INVALID_ARG;
}
MOZ_ASSERT(PermissionAvailable(aPrincipal, aType));
int32_t typeIndex = GetTypeIndex(aType, false);
// If type == -1, the type isn't known,
// so just return NS_OK
if (typeIndex == -1) return NS_OK;
PermissionHashKey* entry =
GetPermissionHashKey(aPrincipal, typeIndex, aExactHostMatch);
if (!entry) {
return NS_OK;
}
// We don't call GetPermission(typeIndex) because that returns a fake
// UNKNOWN_ACTION entry if there is no match.
int32_t idx = entry->GetPermissionIndex(typeIndex);
if (-1 == idx) {
return NS_OK;
}
nsCOMPtr<nsIPrincipal> principal;
nsresult rv = GetPrincipalFromOrigin(entry->GetKey()->mOrigin,
IsOAForceStripPermission(aType),
getter_AddRefs(principal));
NS_ENSURE_SUCCESS(rv, rv);
PermissionEntry& perm = entry->GetPermissions()[idx];
nsCOMPtr<nsIPermission> r = Permission::Create(
principal, mTypeArray[perm.mType], perm.mPermission, perm.mExpireType,
perm.mExpireTime, perm.mModificationTime);
if (NS_WARN_IF(!r)) {
return NS_ERROR_FAILURE;
}
r.forget(aResult);
return NS_OK;
}
nsresult PermissionManager::CommonTestPermissionInternal(
nsIPrincipal* aPrincipal, nsIURI* aURI,
const OriginAttributes* aOriginAttributes, int32_t aTypeIndex,
const nsACString& aType, uint32_t* aPermission, bool aExactHostMatch,
bool aIncludingSession) {
MOZ_ASSERT(aPrincipal || aURI);
NS_ENSURE_ARG_POINTER(aPrincipal || aURI);
MOZ_ASSERT_IF(aPrincipal, !aURI && !aOriginAttributes);
MOZ_ASSERT_IF(aURI || aOriginAttributes, !aPrincipal);
EnsureReadCompleted();
#ifdef DEBUG
{
nsCOMPtr<nsIPrincipal> prin = aPrincipal;
if (!prin) {
if (aURI) {
prin = BasePrincipal::CreateContentPrincipal(aURI, OriginAttributes());
}
}
MOZ_ASSERT(prin);
MOZ_ASSERT(PermissionAvailable(prin, aType));
}
#endif
PermissionHashKey* entry =
aPrincipal ? GetPermissionHashKey(aPrincipal, aTypeIndex, aExactHostMatch)
: GetPermissionHashKey(aURI, aOriginAttributes, aTypeIndex,
aExactHostMatch);
if (!entry || (!aIncludingSession &&
entry->GetPermission(aTypeIndex).mNonSessionExpireType ==
nsIPermissionManager::EXPIRE_SESSION)) {
return NS_OK;
}
*aPermission = aIncludingSession
? entry->GetPermission(aTypeIndex).mPermission
: entry->GetPermission(aTypeIndex).mNonSessionPermission;
return NS_OK;
}
// Helper function to filter permissions using a condition function.
template <class T>
nsresult PermissionManager::GetPermissionEntries(
T aCondition, nsTArray<RefPtr<nsIPermission>>& aResult) {
aResult.Clear();
if (XRE_IsContentProcess()) {
NS_WARNING(
"Iterating over all permissions is not available in the "
"content process, as not all permissions may be available.");
return NS_ERROR_NOT_AVAILABLE;
}
EnsureReadCompleted();
for (const PermissionHashKey& entry : mPermissionTable) {
for (const auto& permEntry : entry.GetPermissions()) {
// Given how "default" permissions work and the possibility of them being
// overridden with UNKNOWN_ACTION, we might see this value here - but we
// do *not* want to return them via the enumerator.
if (permEntry.mPermission == nsIPermissionManager::UNKNOWN_ACTION) {
continue;
}
// If the permission is expired, skip it. We're not deleting it here
// because we're iterating over a lot of permissions.
// It will be removed as part of the daily maintenance later.
if (HasExpired(permEntry.mExpireType, permEntry.mExpireTime)) {
continue;
}
if (!aCondition(permEntry)) {
continue;
}
nsCOMPtr<nsIPrincipal> principal;
nsresult rv = GetPrincipalFromOrigin(
entry.GetKey()->mOrigin,
IsOAForceStripPermission(mTypeArray[permEntry.mType]),
getter_AddRefs(principal));
if (NS_FAILED(rv)) {
continue;
}
RefPtr<nsIPermission> permission = Permission::Create(
principal, mTypeArray[permEntry.mType], permEntry.mPermission,
permEntry.mExpireType, permEntry.mExpireTime,
permEntry.mModificationTime);
if (NS_WARN_IF(!permission)) {
continue;
}
aResult.AppendElement(std::move(permission));
}
}
return NS_OK;
}
NS_IMETHODIMP PermissionManager::GetAll(
nsTArray<RefPtr<nsIPermission>>& aResult) {
return GetPermissionEntries(
[](const PermissionEntry& aPermEntry) { return true; }, aResult);
}
NS_IMETHODIMP PermissionManager::GetAllByTypeSince(
const nsACString& aPrefix, int64_t aSince,
nsTArray<RefPtr<nsIPermission>>& aResult) {
// Check that aSince is a reasonable point in time, not in the future
if (aSince > (PR_Now() / PR_USEC_PER_MSEC)) {
return NS_ERROR_INVALID_ARG;
}
return GetPermissionEntries(
[&](const PermissionEntry& aPermEntry) {
return mTypeArray[aPermEntry.mType].Equals(aPrefix) &&
aSince <= aPermEntry.mModificationTime;
},
aResult);
}
NS_IMETHODIMP PermissionManager::GetAllWithTypePrefix(
const nsACString& aPrefix, nsTArray<RefPtr<nsIPermission>>& aResult) {
return GetPermissionEntries(
[&](const PermissionEntry& aPermEntry) {
return StringBeginsWith(mTypeArray[aPermEntry.mType], aPrefix);
},
aResult);
}
NS_IMETHODIMP PermissionManager::GetAllByTypes(
const nsTArray<nsCString>& aTypes,
nsTArray<RefPtr<nsIPermission>>& aResult) {
if (aTypes.IsEmpty()) {
return NS_OK;
}
return GetPermissionEntries(
[&](const PermissionEntry& aPermEntry) {
return aTypes.Contains(mTypeArray[aPermEntry.mType]);
},
aResult);
}
nsresult PermissionManager::ShouldHandlePrincipalForPermission(
nsIPrincipal* aPrincipal, bool& aIsPermissionPrincipalValid) {
NS_ENSURE_ARG_POINTER(aPrincipal);
// We don't add the system principal because it actually has no URI and we
// always allow action for them.
if (aPrincipal->IsSystemPrincipal()) {
aIsPermissionPrincipalValid = false;
return NS_OK;
}
// Null principals can't meaningfully have persisted permissions attached to
// them, so we don't allow adding permissions for them.
if (aPrincipal->GetIsNullPrincipal()) {
aIsPermissionPrincipalValid = false;
return NS_OK;
}
// Permissions may not be added to expanded principals.
if (IsExpandedPrincipal(aPrincipal)) {
aIsPermissionPrincipalValid = false;
return NS_ERROR_INVALID_ARG;
}
// Permission principal is valid
aIsPermissionPrincipalValid = true;
return NS_OK;
}
nsresult PermissionManager::GetAllForPrincipalHelper(
nsIPrincipal* aPrincipal, bool aSiteScopePermissions,
nsTArray<RefPtr<nsIPermission>>& aResult) {
nsresult rv;
RefPtr<PermissionKey> key = PermissionKey::CreateFromPrincipal(
aPrincipal, false, aSiteScopePermissions, rv);
if (!key) {
MOZ_ASSERT(NS_FAILED(rv));
return rv;
}
PermissionHashKey* entry = mPermissionTable.GetEntry(key);
nsTArray<PermissionEntry> strippedPerms;
rv = GetStripPermsForPrincipal(aPrincipal, aSiteScopePermissions,
strippedPerms);
if (NS_FAILED(rv)) {
return rv;
}
if (entry) {
for (const auto& permEntry : entry->GetPermissions()) {
// Only return custom permissions
if (permEntry.mPermission == nsIPermissionManager::UNKNOWN_ACTION) {
continue;
}
// If the permission is expired, skip it. We're not deleting it here
// because we're iterating over a lot of permissions.
// It will be removed as part of the daily maintenance later.
if (HasExpired(permEntry.mExpireType, permEntry.mExpireTime)) {
continue;
}
// Make sure that we only get site scoped permissions if this
// helper is being invoked for that purpose.
if (aSiteScopePermissions !=
IsSiteScopedPermission(mTypeArray[permEntry.mType])) {
continue;
}
// Stripped principal permissions overwrite regular ones
// For each permission check if there is a stripped permission we should
// use instead
PermissionEntry perm = permEntry;
nsTArray<PermissionEntry>::index_type index = 0;
for (const auto& strippedPerm : strippedPerms) {
if (strippedPerm.mType == permEntry.mType) {
perm = strippedPerm;
strippedPerms.RemoveElementAt(index);
break;
}
index++;
}
RefPtr<nsIPermission> permission = Permission::Create(
aPrincipal, mTypeArray[perm.mType], perm.mPermission,
perm.mExpireType, perm.mExpireTime, perm.mModificationTime);
if (NS_WARN_IF(!permission)) {
continue;
}
aResult.AppendElement(permission);
}
}
for (const auto& perm : strippedPerms) {
RefPtr<nsIPermission> permission = Permission::Create(
aPrincipal, mTypeArray[perm.mType], perm.mPermission, perm.mExpireType,
perm.mExpireTime, perm.mModificationTime);
if (NS_WARN_IF(!permission)) {
continue;
}
aResult.AppendElement(permission);
}
return NS_OK;
}
NS_IMETHODIMP
PermissionManager::GetAllForPrincipal(
nsIPrincipal* aPrincipal, nsTArray<RefPtr<nsIPermission>>& aResult) {
nsresult rv;
aResult.Clear();
EnsureReadCompleted();
MOZ_ASSERT(PermissionAvailable(aPrincipal, ""_ns));
// First, append the non-site-scoped permissions.
rv = GetAllForPrincipalHelper(aPrincipal, false, aResult);
NS_ENSURE_SUCCESS(rv, rv);
// Second, append the site-scoped permissions.
return GetAllForPrincipalHelper(aPrincipal, true, aResult);
}
NS_IMETHODIMP PermissionManager::Observe(nsISupports* aSubject,
const char* aTopic,
const char16_t* someData) {
ENSURE_NOT_CHILD_PROCESS;
if (!nsCRT::strcmp(aTopic, "profile-do-change") && !mPermissionsFile) {
// profile startup is complete, and we didn't have the permissions file
// before; init the db from the new location
InitDB(false);
} else if (!nsCRT::strcmp(aTopic, "profile-after-change")) {
InitRemotePermissionService();
} else if (!nsCRT::strcmp(aTopic, "testonly-reload-permissions-from-disk")) {
// Testing mechanism to reload all permissions from disk. Because the
// permission manager automatically initializes itself at startup, tests
// that directly manipulate the permissions database need some way to reload
// the database for their changes to have any effect. This mechanism was
// introduced when moving the permissions manager from on-demand startup to
// always being initialized. This is not guarded by a pref because it's not
// dangerous to reload permissions from disk, just bad for performance.
RemoveAllFromMemory();
CloseDB(eNone);
InitDB(false);
InitRemotePermissionService();
} else if (!nsCRT::strcmp(aTopic, OBSERVER_TOPIC_IDLE_DAILY)) {
PerformIdleDailyMaintenance();
}
return NS_OK;
}
nsresult PermissionManager::RemoveAllModifiedSince(int64_t aModificationTime) {
ENSURE_NOT_CHILD_PROCESS;
// Skip remove calls for default permissions to avoid
// creating UNKNOWN_ACTION overrides in AddInternal
return RemovePermissionEntries(
[aModificationTime](const PermissionEntry& aPermEntry) {
return aModificationTime <= aPermEntry.mModificationTime &&
aPermEntry.mID != cIDPermissionIsDefault;
});
}
NS_IMETHODIMP
PermissionManager::RemovePermissionsWithAttributes(
const nsAString& aPattern, const nsTArray<nsCString>& aTypeInclusions,
const nsTArray<nsCString>& aTypeExceptions) {
ENSURE_NOT_CHILD_PROCESS;
OriginAttributesPattern pattern;
if (!pattern.Init(aPattern)) {
return NS_ERROR_INVALID_ARG;
}
return RemovePermissionsWithAttributes(pattern, aTypeInclusions,
aTypeExceptions);
}
nsresult PermissionManager::RemovePermissionsWithAttributes(
OriginAttributesPattern& aPattern,
const nsTArray<nsCString>& aTypeInclusions,
const nsTArray<nsCString>& aTypeExceptions) {
EnsureReadCompleted();
Vector<std::tuple<nsCOMPtr<nsIPrincipal>, nsCString, nsCString>, 10>
permissions;
for (const PermissionHashKey& entry : mPermissionTable) {
nsCOMPtr<nsIPrincipal> principal;
nsresult rv = GetPrincipalFromOrigin(entry.GetKey()->mOrigin, false,
getter_AddRefs(principal));
if (NS_FAILED(rv)) {
continue;
}
if (!aPattern.Matches(principal->OriginAttributesRef())) {
continue;
}
for (const auto& permEntry : entry.GetPermissions()) {
if (aTypeExceptions.Contains(mTypeArray[permEntry.mType])) {
continue;
}
if (!aTypeInclusions.IsEmpty() &&
!aTypeInclusions.Contains(mTypeArray[permEntry.mType])) {
continue;
}
if (!permissions.emplaceBack(principal, mTypeArray[permEntry.mType],
entry.GetKey()->mOrigin)) {
continue;
}
}
}
for (auto& i : permissions) {
AddInternal(
std::get<0>(i), std::get<1>(i), nsIPermissionManager::UNKNOWN_ACTION, 0,
nsIPermissionManager::EXPIRE_NEVER, 0, 0, PermissionManager::eNotify,
PermissionManager::eWriteToDB, false, &std::get<2>(i));
}
return NS_OK;
}
nsresult PermissionManager::GetStripPermsForPrincipal(
nsIPrincipal* aPrincipal, bool aSiteScopePermissions,
nsTArray<PermissionEntry>& aResult) {
aResult.Clear();
aResult.SetCapacity(kStripOAPermissions.size());
#ifdef __clang__
# pragma clang diagnostic push
# pragma clang diagnostic ignored "-Wunreachable-code-return"
#endif
// No special strip permissions
if (kStripOAPermissions.empty()) {
return NS_OK;
}
#ifdef __clang__
# pragma clang diagnostic pop
#endif
nsresult rv;
// Create a key for the principal, but strip any origin attributes.
// The key must be created aware of whether or not we are scoping to site.
RefPtr<PermissionKey> key = PermissionKey::CreateFromPrincipal(
aPrincipal, true, aSiteScopePermissions, rv);
if (!key) {
MOZ_ASSERT(NS_FAILED(rv));
return rv;
}
PermissionHashKey* hashKey = mPermissionTable.GetEntry(key);
if (!hashKey) {
return NS_OK;
}
for (const auto& permType : kStripOAPermissions) {
// if the permission type's site scoping does not match this function call,
// we don't care about it, so continue.
// As of time of writing, this never happens when aSiteScopePermissions
// is true because there is no common permission between kStripOAPermissions
// and kSiteScopedPermissions
if (aSiteScopePermissions != IsSiteScopedPermission(permType)) {
continue;
}
int32_t index = GetTypeIndex(permType, false);
if (index == -1) {
continue;
}
PermissionEntry perm = hashKey->GetPermission(index);
if (perm.mPermission == nsIPermissionManager::UNKNOWN_ACTION) {
continue;
}
aResult.AppendElement(perm);
}
return NS_OK;
}
int32_t PermissionManager::GetTypeIndex(const nsACString& aType, bool aAdd) {
for (uint32_t i = 0; i < mTypeArray.length(); ++i) {
if (mTypeArray[i].Equals(aType)) {
return i;
}
}
if (!aAdd) {
// Not found, but that is ok - we were just looking.
return -1;
}
// This type was not registered before.
// append it to the array, without copy-constructing the string
if (!mTypeArray.emplaceBack(aType)) {
return -1;
}
return mTypeArray.length() - 1;
}
PermissionManager::PermissionHashKey* PermissionManager::GetPermissionHashKey(
nsIPrincipal* aPrincipal, uint32_t aType, bool aExactHostMatch) {
EnsureReadCompleted();
MOZ_ASSERT(PermissionAvailable(aPrincipal, mTypeArray[aType]));
nsresult rv;
RefPtr<PermissionKey> key = PermissionKey::CreateFromPrincipal(
aPrincipal, IsOAForceStripPermission(mTypeArray[aType]),
IsSiteScopedPermission(mTypeArray[aType]), rv);
if (!key) {
return nullptr;
}
PermissionHashKey* entry = mPermissionTable.GetEntry(key);
if (entry) {
PermissionEntry permEntry = entry->GetPermission(aType);
// if the entry is expired, remove and keep looking for others.
if (HasExpired(permEntry.mExpireType, permEntry.mExpireTime)) {
entry = nullptr;
RemoveFromPrincipal(aPrincipal, mTypeArray[aType]);
} else if (permEntry.mPermission == nsIPermissionManager::UNKNOWN_ACTION) {
entry = nullptr;
}
}
if (entry) {
return entry;
}
// If aExactHostMatch wasn't true, we can check if the base domain has a
// permission entry.
if (!aExactHostMatch) {
nsCOMPtr<nsIPrincipal> principal = aPrincipal->GetNextSubDomainPrincipal();
if (principal) {
return GetPermissionHashKey(principal, aType, aExactHostMatch);
}
}
// No entry, really...
return nullptr;
}
PermissionManager::PermissionHashKey* PermissionManager::GetPermissionHashKey(
nsIURI* aURI, const OriginAttributes* aOriginAttributes, uint32_t aType,
bool aExactHostMatch) {
MOZ_ASSERT(aURI);
#ifdef DEBUG
{
nsCOMPtr<nsIPrincipal> principal;
nsresult rv = NS_OK;
if (aURI) {
rv = GetPrincipal(aURI, getter_AddRefs(principal));
}
MOZ_ASSERT_IF(NS_SUCCEEDED(rv),
PermissionAvailable(principal, mTypeArray[aType]));
}
#endif
nsresult rv;
RefPtr<PermissionKey> key;
if (aOriginAttributes) {
key = PermissionKey::CreateFromURIAndOriginAttributes(
aURI, aOriginAttributes, IsOAForceStripPermission(mTypeArray[aType]),
rv);
} else {
key = PermissionKey::CreateFromURI(aURI, rv);
}
if (!key) {
return nullptr;
}
PermissionHashKey* entry = mPermissionTable.GetEntry(key);
if (entry) {
PermissionEntry permEntry = entry->GetPermission(aType);
// if the entry is expired, remove and keep looking for others.
if (HasExpired(permEntry.mExpireType, permEntry.mExpireTime)) {
entry = nullptr;
// If we need to remove a permission we mint a principal. This is a bit
// inefficient, but hopefully this code path isn't super common.
nsCOMPtr<nsIPrincipal> principal;
if (aURI) {
nsresult rv = GetPrincipal(aURI, getter_AddRefs(principal));
if (NS_WARN_IF(NS_FAILED(rv))) {
return nullptr;
}
}
RemoveFromPrincipal(principal, mTypeArray[aType]);
} else if (permEntry.mPermission == nsIPermissionManager::UNKNOWN_ACTION) {
entry = nullptr;
}
}
if (entry) {
return entry;
}
// If aExactHostMatch wasn't true, we can check if the base domain has a
// permission entry.
if (!aExactHostMatch) {
nsCOMPtr<nsIURI> uri;
if (aURI) {
uri = GetNextSubDomainURI(aURI);
}
if (uri) {
return GetPermissionHashKey(uri, aOriginAttributes, aType,
aExactHostMatch);
}
}
// No entry, really...
return nullptr;
}
nsresult PermissionManager::RemoveAllFromMemory() {
mLargestID = 0;
mTypeArray.clear();
mPermissionTable.Clear();
return NS_OK;
}
// wrapper function for mangling (host,type,perm,expireType,expireTime)
// set into an nsIPermission.
void PermissionManager::NotifyObserversWithPermission(
nsIPrincipal* aPrincipal, const nsACString& aType, uint32_t aPermission,
uint32_t aExpireType, int64_t aExpireTime, int64_t aModificationTime,
const char16_t* aData) {
nsCOMPtr<nsIPermission> permission =
Permission::Create(aPrincipal, aType, aPermission, aExpireType,
aExpireTime, aModificationTime);
if (permission) NotifyObservers(permission, aData);
}
// notify observers that the permission list changed. there are four possible
// values for aData:
// "deleted" means a permission was deleted. aPermission is the deleted
// permission. "added" means a permission was added. aPermission is the added
// permission. "changed" means a permission was altered. aPermission is the new
// permission. "cleared" means the entire permission list was cleared.
// aPermission is null.
void PermissionManager::NotifyObservers(nsIPermission* aPermission,
const char16_t* aData) {
nsCOMPtr<nsIObserverService> observerService = services::GetObserverService();
if (observerService)
observerService->NotifyObservers(aPermission, kPermissionChangeNotification,
aData);
}
nsresult PermissionManager::Read(const MonitorAutoLock& aProofOfLock) {
ENSURE_NOT_CHILD_PROCESS;
MOZ_ASSERT(!NS_IsMainThread());
auto data = mThreadBoundData.Access();
nsresult rv;
bool hasResult;
nsCOMPtr<mozIStorageStatement> stmt;
// Let's retrieve the last used ID.
rv = data->mDBConn->CreateStatement(
nsLiteralCString("SELECT MAX(id) FROM moz_perms"), getter_AddRefs(stmt));
NS_ENSURE_SUCCESS(rv, rv);
while (NS_SUCCEEDED(stmt->ExecuteStep(&hasResult)) && hasResult) {
int64_t id = stmt->AsInt64(0);
mLargestID = id;
}
rv = data->mDBConn->CreateStatement(
nsLiteralCString(
"SELECT id, origin, type, permission, expireType, "
"expireTime, modificationTime "
"FROM moz_perms WHERE expireType != ?1 OR expireTime > ?2"),
getter_AddRefs(stmt));
NS_ENSURE_SUCCESS(rv, rv);
rv = stmt->BindInt32ByIndex(0, nsIPermissionManager::EXPIRE_TIME);
NS_ENSURE_SUCCESS(rv, rv);
rv = stmt->BindInt64ByIndex(1, EXPIRY_NOW);
NS_ENSURE_SUCCESS(rv, rv);
bool readError = false;
while (NS_SUCCEEDED(stmt->ExecuteStep(&hasResult)) && hasResult) {
ReadEntry entry;
// explicitly set our entry id counter for use in AddInternal(),
// and keep track of the largest id so we know where to pick up.
entry.mId = stmt->AsInt64(0);
MOZ_ASSERT(entry.mId <= mLargestID);
rv = stmt->GetUTF8String(1, entry.mOrigin);
if (NS_FAILED(rv)) {
readError = true;
continue;
}
rv = stmt->GetUTF8String(2, entry.mType);
if (NS_FAILED(rv)) {
readError = true;
continue;
}
entry.mPermission = stmt->AsInt32(3);
entry.mExpireType = stmt->AsInt32(4);
// convert into int64_t values (milliseconds)
entry.mExpireTime = stmt->AsInt64(5);
entry.mModificationTime = stmt->AsInt64(6);
entry.mFromMigration = false;
mReadEntries.AppendElement(entry);
}
if (readError) {
NS_ERROR("Error occured while reading the permissions database!");
return NS_ERROR_FAILURE;
}
return NS_OK;
}
void PermissionManager::CompleteMigrations() {
MOZ_ASSERT(NS_IsMainThread());
MOZ_ASSERT(mState == eReady);
nsresult rv;
nsTArray<MigrationEntry> entries;
{
MonitorAutoLock lock(mMonitor);
entries = std::move(mMigrationEntries);
}
for (const MigrationEntry& entry : entries) {
rv = UpgradeHostToOriginAndInsert(
entry.mHost, entry.mType, entry.mPermission, entry.mExpireType,
entry.mExpireTime, entry.mModificationTime,
[&](const nsACString& aOrigin, const nsCString& aType,
uint32_t aPermission, uint32_t aExpireType, int64_t aExpireTime,
int64_t aModificationTime) {
MaybeAddReadEntryFromMigration(aOrigin, aType, aPermission,
aExpireType, aExpireTime,
aModificationTime, entry.mId);
return NS_OK;
});
Unused << NS_WARN_IF(NS_FAILED(rv));
}
}
void PermissionManager::CompleteRead() {
MOZ_ASSERT(NS_IsMainThread());
MOZ_ASSERT(mState == eReady);
nsresult rv;
nsTArray<ReadEntry> entries;
{
MonitorAutoLock lock(mMonitor);
entries = std::move(mReadEntries);
}
for (const ReadEntry& entry : entries) {
nsCOMPtr<nsIPrincipal> principal;
rv = GetPrincipalFromOrigin(entry.mOrigin,
IsOAForceStripPermission(entry.mType),
getter_AddRefs(principal));
if (NS_WARN_IF(NS_FAILED(rv))) {
continue;
}
DBOperationType op = entry.mFromMigration ? eWriteToDB : eNoDBOperation;
rv = AddInternal(principal, entry.mType, entry.mPermission, entry.mId,
entry.mExpireType, entry.mExpireTime,
entry.mModificationTime, eDontNotify, op, false,
&entry.mOrigin);
Unused << NS_WARN_IF(NS_FAILED(rv));
}
}
void PermissionManager::InitRemotePermissionService() {
// Check if this service is disabled by pref, and abort if it is.
if (!StaticPrefs::permissions_manager_remote_enabled()) {
return;
}
// Also abort if we are in a background task. We do not want to call remote
// settings there, because we do not want to pollute the background task
// profile, and because we don't need the remote permissions there anyways.
#ifdef MOZ_BACKGROUNDTASKS
if (BackgroundTasks::IsBackgroundTaskMode()) {
return;
}
#endif
NS_DispatchToCurrentThreadQueue(
NS_NewRunnableFunction(
"RemotePermissionService::Init",
[&] {
nsCOMPtr<nsIRemotePermissionService> remotePermissionService =
do_GetService(NS_REMOTEPERMISSIONSERVICE_CONTRACTID);
NS_ENSURE_TRUE_VOID(remotePermissionService);
remotePermissionService->Init();
}),
EventQueuePriority::Idle);
}
void PermissionManager::MaybeAddReadEntryFromMigration(
const nsACString& aOrigin, const nsCString& aType, uint32_t aPermission,
uint32_t aExpireType, int64_t aExpireTime, int64_t aModificationTime,
int64_t aId) {
MonitorAutoLock lock(mMonitor);
// We convert a migration to a ReadEntry only if we don't have an existing
// ReadEntry for the same origin + type.
for (const ReadEntry& entry : mReadEntries) {
if (entry.mOrigin == aOrigin && entry.mType == aType) {
return;
}
}
ReadEntry entry;
entry.mId = aId;
entry.mOrigin = aOrigin;
entry.mType = aType;
entry.mPermission = aPermission;
entry.mExpireType = aExpireType;
entry.mExpireTime = aExpireTime;
entry.mModificationTime = aModificationTime;
entry.mFromMigration = true;
mReadEntries.AppendElement(entry);
}
void PermissionManager::UpdateDB(OperationType aOp, int64_t aID,
const nsACString& aOrigin,
const nsACString& aType, uint32_t aPermission,
uint32_t aExpireType, int64_t aExpireTime,
int64_t aModificationTime) {
ENSURE_NOT_CHILD_PROCESS_NORET;
MOZ_ASSERT(NS_IsMainThread());
EnsureReadCompleted();
nsCString origin(aOrigin);
nsCString type(aType);
RefPtr<PermissionManager> self = this;
mThread->Dispatch(NS_NewRunnableFunction(
"PermissionManager::UpdateDB",
[self, aOp, aID, origin, type, aPermission, aExpireType, aExpireTime,
aModificationTime] {
nsresult rv;
auto data = self->mThreadBoundData.Access();
if (self->mState == eClosed || !data->mDBConn) {
// no statement is ok - just means we don't have a profile
return;
}
mozIStorageStatement* stmt = nullptr;
switch (aOp) {
case eOperationAdding: {
stmt = data->mStmtInsert;
rv = stmt->BindInt64ByIndex(0, aID);
if (NS_FAILED(rv)) break;
rv = stmt->BindUTF8StringByIndex(1, origin);
if (NS_FAILED(rv)) break;
rv = stmt->BindUTF8StringByIndex(2, type);
if (NS_FAILED(rv)) break;
rv = stmt->BindInt32ByIndex(3, aPermission);
if (NS_FAILED(rv)) break;
rv = stmt->BindInt32ByIndex(4, aExpireType);
if (NS_FAILED(rv)) break;
rv = stmt->BindInt64ByIndex(5, aExpireTime);
if (NS_FAILED(rv)) break;
rv = stmt->BindInt64ByIndex(6, aModificationTime);
break;
}
case eOperationRemoving: {
stmt = data->mStmtDelete;
rv = stmt->BindInt64ByIndex(0, aID);
break;
}
case eOperationChanging: {
stmt = data->mStmtUpdate;
rv = stmt->BindInt64ByIndex(0, aID);
if (NS_FAILED(rv)) break;
rv = stmt->BindInt32ByIndex(1, aPermission);
if (NS_FAILED(rv)) break;
rv = stmt->BindInt32ByIndex(2, aExpireType);
if (NS_FAILED(rv)) break;
rv = stmt->BindInt64ByIndex(3, aExpireTime);
if (NS_FAILED(rv)) break;
rv = stmt->BindInt64ByIndex(4, aModificationTime);
break;
}
default: {
MOZ_ASSERT_UNREACHABLE("need a valid operation in UpdateDB()!");
rv = NS_ERROR_UNEXPECTED;
break;
}
}
if (NS_FAILED(rv)) {
NS_WARNING("db change failed!");
return;
}
rv = stmt->Execute();
MOZ_ASSERT(NS_SUCCEEDED(rv));
}));
}
bool PermissionManager::GetPermissionsFromOriginOrKey(
const nsACString& aOrigin, const nsACString& aKey,
nsTArray<IPC::Permission>& aPerms) {
EnsureReadCompleted();
aPerms.Clear();
if (NS_WARN_IF(XRE_IsContentProcess())) {
return false;
}
for (const PermissionHashKey& entry : mPermissionTable) {
nsAutoCString permissionKey;
if (aOrigin.IsEmpty()) {
// We can't check for individual OA strip perms here.
// Don't force strip origin attributes.
GetKeyForOrigin(entry.GetKey()->mOrigin, false, false, permissionKey);
// If the keys don't match, and we aren't getting the default "" key, then
// we can exit early. We have to keep looking if we're getting the default
// key, as we may see a preload permission which should be transmitted.
if (aKey != permissionKey && !aKey.IsEmpty()) {
continue;
}
} else if (aOrigin != entry.GetKey()->mOrigin) {
// If the origins don't match, then we can exit early. We have to keep
// looking if we're getting the default origin, as we may see a preload
// permission which should be transmitted.
continue;
}
for (const auto& permEntry : entry.GetPermissions()) {
// Given how "default" permissions work and the possibility of them
// being overridden with UNKNOWN_ACTION, we might see this value here -
// but we do not want to send it to the content process.
if (permEntry.mPermission == nsIPermissionManager::UNKNOWN_ACTION) {
continue;
}
bool isPreload = IsPreloadPermission(mTypeArray[permEntry.mType]);
bool shouldAppend;
if (aOrigin.IsEmpty()) {
shouldAppend = (isPreload && aKey.IsEmpty()) ||
(!isPreload && aKey == permissionKey);
} else {
shouldAppend = (!isPreload && aOrigin == entry.GetKey()->mOrigin);
}
if (shouldAppend) {
aPerms.AppendElement(
IPC::Permission(entry.GetKey()->mOrigin,
mTypeArray[permEntry.mType], permEntry.mPermission,
permEntry.mExpireType, permEntry.mExpireTime));
}
}
}
return true;
}
void PermissionManager::SetPermissionsWithKey(
const nsACString& aPermissionKey, nsTArray<IPC::Permission>& aPerms) {
if (NS_WARN_IF(XRE_IsParentProcess())) {
return;
}
RefPtr<GenericNonExclusivePromise::Private> promise;
bool foundKey =
mPermissionKeyPromiseMap.Get(aPermissionKey, getter_AddRefs(promise));
if (promise) {
MOZ_ASSERT(foundKey);
// NOTE: This will resolve asynchronously, so we can mark it as resolved
// now, and be confident that we will have filled in the database before any
// callbacks run.
promise->Resolve(true, __func__);
} else if (foundKey) {
// NOTE: We shouldn't be sent two InitializePermissionsWithKey for the same
// key, but it's possible.
return;
}
mPermissionKeyPromiseMap.InsertOrUpdate(
aPermissionKey, RefPtr<GenericNonExclusivePromise::Private>{});
// Add the permissions locally to our process
for (IPC::Permission& perm : aPerms) {
nsCOMPtr<nsIPrincipal> principal;
nsresult rv =
GetPrincipalFromOrigin(perm.origin, IsOAForceStripPermission(perm.type),
getter_AddRefs(principal));
if (NS_WARN_IF(NS_FAILED(rv))) {
continue;
}
#ifdef DEBUG
nsAutoCString permissionKey;
GetKeyForPermission(principal, perm.type, permissionKey);
MOZ_ASSERT(permissionKey == aPermissionKey,
"The permission keys which were sent over should match!");
#endif
// The child process doesn't care about modification times - it neither
// reads nor writes, nor removes them based on the date - so 0 (which
// will end up as now()) is fine.
uint64_t modificationTime = 0;
AddInternal(principal, perm.type, perm.capability, 0, perm.expireType,
perm.expireTime, modificationTime, eNotify, eNoDBOperation,
true /* ignoreSessionPermissions */);
}
}
/* static */
nsresult PermissionManager::GetKeyForOrigin(const nsACString& aOrigin,
bool aForceStripOA,
bool aSiteScopePermissions,
nsACString& aKey) {
aKey.Truncate();
// We only key origins for http, https URIs. All origins begin with
// the URL which they apply to, which means that they should begin with their
// scheme in the case where they are one of these interesting URIs. We don't
// want to actually parse the URL here however, because this can be called on
// hot paths.
if (!StringBeginsWith(aOrigin, "http:"_ns) &&
!StringBeginsWith(aOrigin, "https:"_ns)) {
return NS_OK;
}
// We need to look at the originAttributes if they are present, to make sure
// to remove any which we don't want. We put the rest of the origin, not
// including the attributes, into the key.
OriginAttributes attrs;
if (!attrs.PopulateFromOrigin(aOrigin, aKey)) {
aKey.Truncate();
return NS_OK;
}
MaybeStripOriginAttributes(aForceStripOA, attrs);
#ifdef DEBUG
// Parse the origin string into a principal, and extract some useful
// information from it for assertions.
nsCOMPtr<nsIPrincipal> dbgPrincipal;
MOZ_ALWAYS_SUCCEEDS(GetPrincipalFromOrigin(aOrigin, aForceStripOA,
getter_AddRefs(dbgPrincipal)));
MOZ_ASSERT(dbgPrincipal->SchemeIs("http") || dbgPrincipal->SchemeIs("https"));
MOZ_ASSERT(dbgPrincipal->OriginAttributesRef() == attrs);
#endif
// If it is needed, turn the origin into its site-origin
if (aSiteScopePermissions) {
nsCOMPtr<nsIURI> uri;
nsresult rv = NS_NewURI(getter_AddRefs(uri), aKey);
if (!NS_WARN_IF(NS_FAILED(rv))) {
nsCString site;
rv = nsEffectiveTLDService::GetInstance()->GetSite(uri, site);
if (!NS_WARN_IF(NS_FAILED(rv))) {
aKey = site;
}
}
}
// Append the stripped suffix to the output origin key.
nsAutoCString suffix;
attrs.CreateSuffix(suffix);
aKey.Append(suffix);
return NS_OK;
}
/* static */
nsresult PermissionManager::GetKeyForPrincipal(nsIPrincipal* aPrincipal,
bool aForceStripOA,
bool aSiteScopePermissions,
nsACString& aKey) {
nsAutoCString origin;
nsresult rv = aPrincipal->GetOrigin(origin);
if (NS_WARN_IF(NS_FAILED(rv))) {
aKey.Truncate();
return rv;
}
return GetKeyForOrigin(origin, aForceStripOA, aSiteScopePermissions, aKey);
}
/* static */
nsresult PermissionManager::GetKeyForPermission(nsIPrincipal* aPrincipal,
const nsACString& aType,
nsACString& aKey) {
// Preload permissions have the "" key.
if (IsPreloadPermission(aType)) {
aKey.Truncate();
return NS_OK;
}
return GetKeyForPrincipal(aPrincipal, IsOAForceStripPermission(aType),
IsSiteScopedPermission(aType), aKey);
}
/* static */
nsTArray<std::pair<nsCString, nsCString>>
PermissionManager::GetAllKeysForPrincipal(nsIPrincipal* aPrincipal) {
MOZ_ASSERT(aPrincipal);
nsTArray<std::pair<nsCString, nsCString>> pairs;
nsCOMPtr<nsIPrincipal> prin = aPrincipal;
while (prin) {
// Add the pair to the list
std::pair<nsCString, nsCString>* pair =
pairs.AppendElement(std::make_pair(""_ns, ""_ns));
// We can't check for individual OA strip perms here.
// Don't force strip origin attributes.
GetKeyForPrincipal(prin, false, false, pair->first);
// On origins with a derived key set to an empty string
// (basically any non-web URI scheme), we want to make sure
// to return earlier, and leave [("", "")] as the resulting
// pairs (but still run the same debug assertions near the
// end of this method).
if (pair->first.IsEmpty()) {
break;
}
Unused << GetOriginFromPrincipal(prin, false, pair->second);
prin = prin->GetNextSubDomainPrincipal();
// Get the next subdomain principal and loop back around.
}
MOZ_ASSERT(pairs.Length() >= 1,
"Every principal should have at least one pair item.");
return pairs;
}
bool PermissionManager::PermissionAvailable(nsIPrincipal* aPrincipal,
const nsACString& aType) {
EnsureReadCompleted();
if (XRE_IsContentProcess()) {
nsAutoCString permissionKey;
// NOTE: GetKeyForPermission accepts a null aType.
GetKeyForPermission(aPrincipal, aType, permissionKey);
// If we have a pending promise for the permission key in question, we don't
// have the permission available, so report a warning and return false.
RefPtr<GenericNonExclusivePromise::Private> promise;
if (!mPermissionKeyPromiseMap.Get(permissionKey, getter_AddRefs(promise)) ||
promise) {
// Emit a useful diagnostic warning with the permissionKey for the process
// which hasn't received permissions yet.
NS_WARNING(nsPrintfCString("This content process hasn't received the "
"permissions for %s yet",
permissionKey.get())
.get());
return false;
}
}
return true;
}
void PermissionManager::WhenPermissionsAvailable(nsIPrincipal* aPrincipal,
nsIRunnable* aRunnable) {
MOZ_ASSERT(aRunnable);
if (!XRE_IsContentProcess()) {
aRunnable->Run();
return;
}
nsTArray<RefPtr<GenericNonExclusivePromise>> promises;
for (auto& pair : GetAllKeysForPrincipal(aPrincipal)) {
RefPtr<GenericNonExclusivePromise::Private> promise;
if (!mPermissionKeyPromiseMap.Get(pair.first, getter_AddRefs(promise))) {
// In this case we have found a permission which isn't available in the
// content process and hasn't been requested yet. We need to create a new
// promise, and send the request to the parent (if we have not already
// done so).
promise = new GenericNonExclusivePromise::Private(__func__);
mPermissionKeyPromiseMap.InsertOrUpdate(pair.first, RefPtr{promise});
}
if (promise) {
promises.AppendElement(std::move(promise));
}
}
// If all of our permissions are available, immediately run the runnable. This
// avoids any extra overhead during fetch interception which is performance
// sensitive.
if (promises.IsEmpty()) {
aRunnable->Run();
return;
}
auto* thread = AbstractThread::MainThread();
RefPtr<nsIRunnable> runnable = aRunnable;
GenericNonExclusivePromise::All(thread, promises)
->Then(
thread, __func__, [runnable]() { runnable->Run(); },
[]() {
NS_WARNING(
"PermissionManager permission promise rejected. We're "
"probably shutting down.");
});
}
void PermissionManager::EnsureReadCompleted() {
MOZ_ASSERT(NS_IsMainThread());
if (mState == eInitializing) {
MonitorAutoLock lock(mMonitor);
while (mState == eInitializing) {
mMonitor.Wait();
}
}
switch (mState) {
case eInitializing:
MOZ_CRASH("This state is impossible!");
case eDBInitialized:
mState = eReady;
CompleteMigrations();
ImportLatestDefaults();
CompleteRead();
[[fallthrough]];
case eReady:
[[fallthrough]];
case eClosed:
return;
default:
MOZ_CRASH("Invalid state");
}
}
already_AddRefed<nsIInputStream> PermissionManager::GetDefaultsInputStream() {
MOZ_ASSERT(NS_IsMainThread());
nsAutoCString defaultsURL;
Preferences::GetCString(kDefaultsUrlPrefName, defaultsURL);
if (defaultsURL.IsEmpty()) { // == Don't use built-in permissions.
return nullptr;
}
nsCOMPtr<nsIURI> defaultsURI;
nsresult rv = NS_NewURI(getter_AddRefs(defaultsURI), defaultsURL);
NS_ENSURE_SUCCESS(rv, nullptr);
nsCOMPtr<nsIChannel> channel;
rv = NS_NewChannel(getter_AddRefs(channel), defaultsURI,
nsContentUtils::GetSystemPrincipal(),
nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL,
nsIContentPolicy::TYPE_OTHER);
NS_ENSURE_SUCCESS(rv, nullptr);
nsCOMPtr<nsIInputStream> inputStream;
rv = channel->Open(getter_AddRefs(inputStream));
NS_ENSURE_SUCCESS(rv, nullptr);
return inputStream.forget();
}
void PermissionManager::ConsumeDefaultsInputStream(
nsIInputStream* aInputStream, const MonitorAutoLock& aProofOfLock) {
MOZ_ASSERT(!NS_IsMainThread());
constexpr char kMatchTypeHost[] = "host";
constexpr char kMatchTypeOrigin[] = "origin";
mDefaultEntriesForImport.Clear();
if (!aInputStream) {
return;
}
nsresult rv;
/* format is:
* matchtype \t type \t permission \t host
* Only "host" is supported for matchtype
* type is a string that identifies the type of permission (e.g. "cookie")
* permission is an integer between 1 and 15
*/
// Ideally we'd do this with nsILineInputString, but this is called with an
// nsIInputStream that comes from a resource:// URI, which doesn't support
// that interface. So NS_ReadLine to the rescue...
nsLineBuffer<char> lineBuffer;
nsCString line;
bool isMore = true;
do {
rv = NS_ReadLine(aInputStream, &lineBuffer, line, &isMore);
NS_ENSURE_SUCCESS_VOID(rv);
if (line.IsEmpty() || line.First() == '#') {
continue;
}
nsTArray<nsCString> lineArray;
// Split the line at tabs
ParseString(line, '\t', lineArray);
if (lineArray.Length() != 4) {
continue;
}
nsresult error = NS_OK;
uint32_t permission = lineArray[2].ToInteger(&error);
if (NS_FAILED(error)) {
continue;
}
const nsCString& hostOrOrigin = lineArray[3];
const nsCString& type = lineArray[1];
if (lineArray[0].EqualsLiteral(kMatchTypeHost)) {
UpgradeHostToOriginAndInsert(
hostOrOrigin, type, permission, nsIPermissionManager::EXPIRE_NEVER, 0,
0,
[&](const nsACString& aOrigin, const nsCString& aType,
uint32_t aPermission, uint32_t aExpireType, int64_t aExpireTime,
int64_t aModificationTime) {
AddDefaultEntryForImport(aOrigin, aType, aPermission, aProofOfLock);
return NS_OK;
});
} else if (lineArray[0].EqualsLiteral(kMatchTypeOrigin)) {
AddDefaultEntryForImport(hostOrOrigin, type, permission, aProofOfLock);
} else {
continue;
}
} while (isMore);
}
void PermissionManager::AddDefaultEntryForImport(
const nsACString& aOrigin, const nsCString& aType, uint32_t aPermission,
const MonitorAutoLock& aProofOfLock) {
DefaultEntry* entry = mDefaultEntriesForImport.AppendElement();
MOZ_ASSERT(entry);
entry->mPermission = aPermission;
entry->mOrigin = aOrigin;
entry->mType = aType;
}
nsresult PermissionManager::ImportDefaultEntry(
const DefaultEntry& aDefaultEntry) {
nsCOMPtr<nsIPrincipal> principal;
nsresult rv = GetPrincipalFromOrigin(
aDefaultEntry.mOrigin, IsOAForceStripPermission(aDefaultEntry.mType),
getter_AddRefs(principal));
if (NS_FAILED(rv)) {
NS_WARNING("Couldn't import an origin permission - malformed origin");
return rv;
}
// the import file format doesn't handle modification times, so we use
// 0, which AddInternal will convert to now()
int64_t modificationTime = 0;
rv = AddInternal(principal, aDefaultEntry.mType, aDefaultEntry.mPermission,
cIDPermissionIsDefault, nsIPermissionManager::EXPIRE_NEVER,
0, modificationTime, eDontNotify, eNoDBOperation);
if (NS_FAILED(rv)) {
NS_WARNING("There was a problem importing an origin permission");
return rv;
}
if (StaticPrefs::permissions_isolateBy_privateBrowsing() &&
!IsOAForceStripPermission(aDefaultEntry.mType)) {
// Also import the permission for private browsing.
OriginAttributes attrs = OriginAttributes(principal->OriginAttributesRef());
attrs.mPrivateBrowsingId = 1;
nsCOMPtr<nsIPrincipal> pbPrincipal =
BasePrincipal::Cast(principal)->CloneForcingOriginAttributes(attrs);
// May return nullptr if clone fails.
if (NS_WARN_IF(NS_FAILED(rv))) {
return rv;
}
rv =
AddInternal(pbPrincipal, aDefaultEntry.mType, aDefaultEntry.mPermission,
cIDPermissionIsDefault, nsIPermissionManager::EXPIRE_NEVER,
0, modificationTime, eDontNotify, eNoDBOperation);
if (NS_FAILED(rv)) {
NS_WARNING(
"There was a problem importing an origin permission for private "
"browsing");
return rv;
}
}
return NS_OK;
}
// ImportLatestDefaults will import the latest default permissions read during
// the last DB initialization.
nsresult PermissionManager::ImportLatestDefaults() {
MOZ_ASSERT(NS_IsMainThread());
MOZ_ASSERT(mState == eReady);
MonitorAutoLock lock(mMonitor);
for (const DefaultEntry& entry : mDefaultEntriesForImport) {
Unused << ImportDefaultEntry(entry);
}
return NS_OK;
}
/**
* Perform the early steps of a permission check and determine whether we need
* to call CommonTestPermissionInternal() for the actual permission check.
*
* @param aPrincipal optional principal argument to check the permission for,
* can be nullptr if we aren't performing a principal-based
* check.
* @param aTypeIndex if the caller isn't sure what the index of the permission
* type to check for is in the mTypeArray member variable,
* it should pass -1, otherwise this would be the index of
* the type inside mTypeArray. This would only be something
* other than -1 in recursive invocations of this function.
* @param aType the permission type to test.
* @param aPermission out argument which will be a permission type that we
* will return from this function once the function is
* done.
* @param aDefaultPermission the default permission to be used if we can't
* determine the result of the permission check.
* @param aDefaultPermissionIsValid whether the previous argument contains a
* valid value.
* @param aExactHostMatch whether to look for the exact host name or also for
* subdomains that can have the same permission.
* @param aIncludingSession whether to include session permissions when
* testing for the permission.
*/
PermissionManager::TestPreparationResult
PermissionManager::CommonPrepareToTestPermission(
nsIPrincipal* aPrincipal, int32_t aTypeIndex, const nsACString& aType,
uint32_t* aPermission, uint32_t aDefaultPermission,
bool aDefaultPermissionIsValid, bool aExactHostMatch,
bool aIncludingSession) {
auto* basePrin = BasePrincipal::Cast(aPrincipal);
if (basePrin && basePrin->IsSystemPrincipal()) {
*aPermission = ALLOW_ACTION;
return AsVariant(NS_OK);
}
EnsureReadCompleted();
// For some permissions, query the default from a pref. We want to avoid
// doing this for all permissions so that permissions can opt into having
// the pref lookup overhead on each call.
int32_t defaultPermission =
aDefaultPermissionIsValid ? aDefaultPermission : UNKNOWN_ACTION;
if (!aDefaultPermissionIsValid && HasDefaultPref(aType)) {
Unused << mDefaultPrefBranch->GetIntPref(PromiseFlatCString(aType).get(),
&defaultPermission);
if (defaultPermission < 0 ||
defaultPermission > nsIPermissionManager::MAX_VALID_ACTION) {
defaultPermission = nsIPermissionManager::UNKNOWN_ACTION;
}
}
// Set the default.
*aPermission = defaultPermission;
int32_t typeIndex =
aTypeIndex == -1 ? GetTypeIndex(aType, false) : aTypeIndex;
// For expanded principals, we want to iterate over the allowlist and see
// if the permission is granted for any of them.
if (basePrin && basePrin->Is<ExpandedPrincipal>()) {
auto ep = basePrin->As<ExpandedPrincipal>();
for (auto& prin : ep->AllowList()) {
uint32_t perm;
nsresult rv =
CommonTestPermission(prin, typeIndex, aType, &perm, defaultPermission,
true, aExactHostMatch, aIncludingSession);
if (NS_WARN_IF(NS_FAILED(rv))) {
return AsVariant(rv);
}
if (perm == nsIPermissionManager::ALLOW_ACTION) {
*aPermission = perm;
return AsVariant(NS_OK);
}
if (perm == nsIPermissionManager::PROMPT_ACTION) {
// Store it, but keep going to see if we can do better.
*aPermission = perm;
}
}
return AsVariant(NS_OK);
}
// If type == -1, the type isn't known, just signal that we are done.
if (typeIndex == -1) {
return AsVariant(NS_OK);
}
return AsVariant(typeIndex);
}
// If aTypeIndex is passed -1, we try to inder the type index from aType.
nsresult PermissionManager::CommonTestPermission(
nsIPrincipal* aPrincipal, int32_t aTypeIndex, const nsACString& aType,
uint32_t* aPermission, uint32_t aDefaultPermission,
bool aDefaultPermissionIsValid, bool aExactHostMatch,
bool aIncludingSession) {
auto preparationResult = CommonPrepareToTestPermission(
aPrincipal, aTypeIndex, aType, aPermission, aDefaultPermission,
aDefaultPermissionIsValid, aExactHostMatch, aIncludingSession);
if (preparationResult.is<nsresult>()) {
return preparationResult.as<nsresult>();
}
return CommonTestPermissionInternal(
aPrincipal, nullptr, nullptr, preparationResult.as<int32_t>(), aType,
aPermission, aExactHostMatch, aIncludingSession);
}
// If aTypeIndex is passed -1, we try to inder the type index from aType.
nsresult PermissionManager::CommonTestPermission(
nsIURI* aURI, int32_t aTypeIndex, const nsACString& aType,
uint32_t* aPermission, uint32_t aDefaultPermission,
bool aDefaultPermissionIsValid, bool aExactHostMatch,
bool aIncludingSession) {
auto preparationResult = CommonPrepareToTestPermission(
nullptr, aTypeIndex, aType, aPermission, aDefaultPermission,
aDefaultPermissionIsValid, aExactHostMatch, aIncludingSession);
if (preparationResult.is<nsresult>()) {
return preparationResult.as<nsresult>();
}
return CommonTestPermissionInternal(
nullptr, aURI, nullptr, preparationResult.as<int32_t>(), aType,
aPermission, aExactHostMatch, aIncludingSession);
}
nsresult PermissionManager::CommonTestPermission(
nsIURI* aURI, const OriginAttributes* aOriginAttributes, int32_t aTypeIndex,
const nsACString& aType, uint32_t* aPermission, uint32_t aDefaultPermission,
bool aDefaultPermissionIsValid, bool aExactHostMatch,
bool aIncludingSession) {
auto preparationResult = CommonPrepareToTestPermission(
nullptr, aTypeIndex, aType, aPermission, aDefaultPermission,
aDefaultPermissionIsValid, aExactHostMatch, aIncludingSession);
if (preparationResult.is<nsresult>()) {
return preparationResult.as<nsresult>();
}
return CommonTestPermissionInternal(
nullptr, aURI, aOriginAttributes, preparationResult.as<int32_t>(), aType,
aPermission, aExactHostMatch, aIncludingSession);
}
nsresult PermissionManager::TestPermissionWithoutDefaultsFromPrincipal(
nsIPrincipal* aPrincipal, const nsACString& aType, uint32_t* aPermission) {
MOZ_ASSERT(!HasDefaultPref(aType));
return CommonTestPermission(aPrincipal, -1, aType, aPermission,
nsIPermissionManager::UNKNOWN_ACTION, true, false,
true);
}
void PermissionManager::MaybeCompleteShutdown() {
MOZ_ASSERT(NS_IsMainThread());
nsCOMPtr<nsIAsyncShutdownClient> asc = GetAsyncShutdownBarrier();
MOZ_ASSERT(asc);
DebugOnly<nsresult> rv = asc->RemoveBlocker(this);
MOZ_ASSERT(NS_SUCCEEDED(rv));
}
// Async shutdown blocker methods
NS_IMETHODIMP PermissionManager::GetName(nsAString& aName) {
aName = u"PermissionManager: Flushing data"_ns;
return NS_OK;
}
NS_IMETHODIMP PermissionManager::BlockShutdown(
nsIAsyncShutdownClient* aClient) {
RemoveIdleDailyMaintenanceJob();
RemoveAllFromMemory();
CloseDB(eShutdown);
gPermissionManager = nullptr;
return NS_OK;
}
NS_IMETHODIMP
PermissionManager::GetState(nsIPropertyBag** aBagOut) {
nsCOMPtr<nsIWritablePropertyBag2> propertyBag =
do_CreateInstance("@mozilla.org/hash-property-bag;1");
nsresult rv = propertyBag->SetPropertyAsInt32(u"state"_ns, mState);
if (NS_WARN_IF(NS_FAILED(rv))) {
return rv;
}
propertyBag.forget(aBagOut);
return NS_OK;
}
nsCOMPtr<nsIAsyncShutdownClient> PermissionManager::GetAsyncShutdownBarrier()
const {
nsresult rv;
nsCOMPtr<nsIAsyncShutdownService> svc =
do_GetService("@mozilla.org/async-shutdown-service;1", &rv);
if (NS_FAILED(rv)) {
return nullptr;
}
nsCOMPtr<nsIAsyncShutdownClient> client;
// This feels very late but there seem to be other services that rely on
// us later than "profile-before-change".
rv = svc->GetXpcomWillShutdown(getter_AddRefs(client));
MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv));
return client;
}
void PermissionManager::MaybeStripOriginAttributes(
bool aForceStrip, OriginAttributes& aOriginAttributes) {
uint32_t flags = 0;
if (aForceStrip || !StaticPrefs::permissions_isolateBy_privateBrowsing()) {
flags |= OriginAttributes::STRIP_PRIVATE_BROWSING_ID;
}
if (aForceStrip || !StaticPrefs::permissions_isolateBy_userContext()) {
flags |= OriginAttributes::STRIP_USER_CONTEXT_ID;
}
if (flags != 0) {
aOriginAttributes.StripAttributes(flags);
}
}
} // namespace mozilla