// Copyright 2013 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "extensions/browser/process_map.h"

#include <tuple>

#include "content/public/browser/child_process_security_policy.h"
#include "content/public/browser/render_process_host.h"
#include "content/public/common/url_constants.h"
#include "extensions/browser/content_script_tracker.h"
#include "extensions/browser/extension_registry.h"
#include "extensions/browser/guest_view/web_view/web_view_renderer_state.h"
#include "extensions/browser/process_map_factory.h"
#include "extensions/common/extension.h"
#include "extensions/common/features/feature.h"

namespace extensions {

namespace {

// Returns true if `process_id` is associated with a WebUI process.
bool ProcessHasWebUIBindings(int process_id) {
  // TODO(crbug.com/1055656): HasWebUIBindings does not always return true for
  // WebUIs. This should be changed to use something else.
  return content::ChildProcessSecurityPolicy::GetInstance()->HasWebUIBindings(
      process_id);
}

// Returns true if `process_id` is associated with a webview owned by the
// extension with the specified `extension_id`.
bool IsWebViewProcessForExtension(int process_id,
                                  const ExtensionId& extension_id) {
  WebViewRendererState* web_view_state = WebViewRendererState::GetInstance();
  if (!web_view_state->IsGuest(process_id)) {
    return false;
  }

  std::string webview_owner;
  int owner_process_id = -1;
  bool found_info = web_view_state->GetOwnerInfo(process_id, &owner_process_id,
                                                 &webview_owner);
  return found_info && webview_owner == extension_id;
}

}  // namespace

// Item
struct ProcessMap::Item {
  Item(const std::string& extension_id, int process_id)
      : extension_id(extension_id), process_id(process_id) {}

  Item(const Item&) = delete;
  Item& operator=(const Item&) = delete;

  ~Item() = default;

  Item(ProcessMap::Item&&) = default;
  Item& operator=(ProcessMap::Item&&) = default;

  bool operator<(const ProcessMap::Item& other) const {
    return std::tie(extension_id, process_id) <
           std::tie(other.extension_id, other.process_id);
  }

  std::string extension_id;
  int process_id = 0;
};


// ProcessMap
ProcessMap::ProcessMap() = default;

ProcessMap::~ProcessMap() = default;

// static
ProcessMap* ProcessMap::Get(content::BrowserContext* browser_context) {
  return ProcessMapFactory::GetForBrowserContext(browser_context);
}

bool ProcessMap::Insert(const std::string& extension_id, int process_id) {
  return items_.insert(Item(extension_id, process_id)).second;
}

int ProcessMap::RemoveAllFromProcess(int process_id) {
  int result = 0;
  for (auto iter = items_.begin(); iter != items_.end();) {
    if (iter->process_id == process_id) {
      items_.erase(iter++);
      ++result;
    } else {
      ++iter;
    }
  }
  return result;
}

bool ProcessMap::Contains(const std::string& extension_id,
                          int process_id) const {
  for (auto iter = items_.cbegin(); iter != items_.cend(); ++iter) {
    if (iter->process_id == process_id && iter->extension_id == extension_id)
      return true;
  }
  return false;
}

bool ProcessMap::Contains(int process_id) const {
  for (auto iter = items_.cbegin(); iter != items_.cend(); ++iter) {
    if (iter->process_id == process_id)
      return true;
  }
  return false;
}

std::set<std::string> ProcessMap::GetExtensionsInProcess(int process_id) const {
  std::set<std::string> result;
  for (auto iter = items_.cbegin(); iter != items_.cend(); ++iter) {
    if (iter->process_id == process_id)
      result.insert(iter->extension_id);
  }
  return result;
}

bool ProcessMap::IsPrivilegedExtensionProcess(const Extension& extension,
                                              int process_id) {
  return Contains(extension.id(), process_id) &&
         // Hosted apps aren't considered privileged extension processes...
         (!extension.is_hosted_app() ||
          // ... Unless they're component hosted apps, like the webstore.
          // TODO(https://crbug/1429667): We can clean this up when we remove
          // special handling of component hosted apps.
          extension.location() == mojom::ManifestLocation::kComponent) &&
         // Lock screen contexts are not the same as privileged extension
         // processes.
         !is_lock_screen_context_;
}

bool ProcessMap::CanProcessHostContextType(
    const Extension* extension,
    const content::RenderProcessHost& process,
    Feature::Context context_type) {
  const int process_id = process.GetID();
  switch (context_type) {
    case Feature::UNSPECIFIED_CONTEXT:
      // We never consider unspecified contexts valid. Even though they would be
      // permissionless, they should never be able to make a request to the
      // browser.
      return false;
    case Feature::OFFSCREEN_EXTENSION_CONTEXT:
    case Feature::BLESSED_EXTENSION_CONTEXT:
      // Offscreen documents run in the main extension process, so both of these
      // require a privileged extension process.
      return extension && IsPrivilegedExtensionProcess(*extension, process_id);
    case Feature::UNBLESSED_EXTENSION_CONTEXT:
      return extension &&
             IsWebViewProcessForExtension(process_id, extension->id());
    case Feature::CONTENT_SCRIPT_CONTEXT:
      // Currently, we assume any process can host a content script.
      // TODO(crbug.com/1186557): This could be better by looking at
      // ContentScriptTracker, as we do for user scripts below.
      return !!extension;
    case Feature::USER_SCRIPT_CONTEXT:
      return extension &&
             ContentScriptTracker::DidProcessRunUserScriptFromExtension(
                 process, extension->id());
    case Feature::LOCK_SCREEN_EXTENSION_CONTEXT:
      // Lock screen contexts are essentially blessed contexts that run on the
      // lock screen profile. We don't run component hosted apps there, so no
      // need to allow those.
      return is_lock_screen_context_ && extension &&
             !extension->is_hosted_app() &&
             Contains(extension->id(), process_id);
    case Feature::BLESSED_WEB_PAGE_CONTEXT:
      // A blessed web page is a (non-component) hosted app process.
      return extension && extension->is_hosted_app() &&
             extension->location() != mojom::ManifestLocation::kComponent &&
             Contains(extension->id(), process_id);
    case Feature::WEBUI_UNTRUSTED_CONTEXT:
      // Unfortunately, we have no way of checking if a *process* can host
      // untrusted webui contexts. Callers should look at (ideally, the
      // browser-verified) origin.
      [[fallthrough]];
    case Feature::WEB_PAGE_CONTEXT:
      // Any context not associated with an extension, not running in an
      // extension process, and without webui bindings can be considered a
      // web page process.
      return !extension && !Contains(process_id) &&
             !ProcessHasWebUIBindings(process_id);
    case Feature::WEBUI_CONTEXT:
      // Don't consider extensions in webui (like content scripts) to be
      // webui.
      return !extension && ProcessHasWebUIBindings(process_id);
  }
}

Feature::Context ProcessMap::GetMostLikelyContextType(
    const Extension* extension,
    int process_id,
    const GURL* url) const {
  // WARNING: This logic must match ScriptContextSet::ClassifyJavaScriptContext,
  // as much as possible.

  // TODO(crbug.com/1055168): Move this into the !extension if statement below
  // or document why we want to return WEBUI_CONTEXT for content scripts in
  // WebUIs.
  if (ProcessHasWebUIBindings(process_id)) {
    return Feature::WEBUI_CONTEXT;
  }

  if (!extension) {
    // Note that blob/filesystem schemes associated with an inner URL of
    // chrome-untrusted will be considered regular pages.
    if (url && url->SchemeIs(content::kChromeUIUntrustedScheme))
      return Feature::WEBUI_UNTRUSTED_CONTEXT;

    return Feature::WEB_PAGE_CONTEXT;
  }

  if (!Contains(extension->id(), process_id)) {
    // If the process map doesn't contain the process, it might be an extension
    // frame in a webview.
    // We (deliberately) don't add webview-hosted frames to the process map and
    // don't classify them as BLESSED_EXTENSION_CONTEXTs.
    if (url && extension->origin().IsSameOriginWith(*url) &&
        IsWebViewProcessForExtension(process_id, extension->id())) {
      // Yep, it's an extension frame in a webview.
      return Feature::UNBLESSED_EXTENSION_CONTEXT;
    }

    // Otherwise, it's a content script (the context in which an extension can
    // run in an unassociated, non-webview process).
    return Feature::CONTENT_SCRIPT_CONTEXT;
  }

  if (extension->is_hosted_app() &&
      extension->location() != mojom::ManifestLocation::kComponent) {
    return Feature::BLESSED_WEB_PAGE_CONTEXT;
  }

  // TODO(https://crbug.com/1339382): Currently, offscreen document contexts
  // are misclassified as BLESSED_EXTENSION_CONTEXTs. This is not ideal
  // because there is a mismatch between the browser and the renderer), but it's
  // not a security issue because, while offscreen documents have fewer
  // capabilities, this is an API distinction, and not a security enforcement.
  // Offscreen documents run in the same process as the rest of the extension
  // and can message the extension, so could easily - though indirectly -
  // access all the same features.
  // Even so, we should fix this to properly classify offscreen documents (and
  // this would be a problem if offscreen documents ever have access to APIs
  // that BLESSED_EXTENSION_CONTEXTs don't).

  return is_lock_screen_context_ ? Feature::LOCK_SCREEN_EXTENSION_CONTEXT
                                 : Feature::BLESSED_EXTENSION_CONTEXT;
}

}  // namespace extensions