Integrates polymer-resin into polygerrit-ui

This is attempt 3 at rolling-forward c/106190

New Dependency
==============
This adds polymer-resin as a bower archive.
See `bower info polymer-resin\#1.2.6-beta` for details.
Polymer-resin is part of the larger polymer project so is
license compatible.

Integration
===========
The main application element, app/elements/gr-app.html, now HTML
imports polymer-resin per
github.com/Polymer/polymer-resin/blob/master/getting-started.md#loading
It uses the following configuration:
1. All dynamic IDs are allowed.
2. Policy violation reports are sent to the dev console.

test/common-test-setup.html does the same so that tests are run in the
same environment.

Testing
=======
1.  Running local tests
    gerrit $ ./polygerrit-ui/app/run_tests.sh
    With 1.2.6-beta tests run green on (Chrome, Firefox, Safari).
2.  Testing for false positives
    I ran two servers.
    a. polygerrit-ui/run_server.sh
    b. gerrit.war per https://git.eclipse.org/r/Documentation/dev-readme.html
    I noticed that in both the dev console showed 'initResin' early and
    paging around showed no violation reports.
3.  Testing for true negatives
    I patched in the diff at the end of this description, and reran
    both server environments.
    I noted that browsing to localhost:8081/#javascript:alert(1)
    and localhost:8080/#javascript:alert(1) both showed a
    violation report about javascript:alert(1) being rejected.
    Clicking Changes / XSS did not result in a popup.

Differences
===========
This loads the non-debug version but configured with a console reporter
so should minimize code size and speed overhead.
This loads via gr-app so the input is automatically vulcanized.

--- a/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
+++ b/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
@@ -56,6 +56,11 @@
         url: '/q/status:abandoned',
         name: 'Abandoned',
       },
+      {  // HACK DO NOT SUBMIT
+        url: (location.hash && location.hash.replace(/^#/, ''))
+            || '/echoes_hash',
+        name: 'XSS',
+      },
     ],
   }];
--- a/polygerrit-ui/app/elements/shared/gr-dropdown/gr-dropdown.js
+++ b/polygerrit-ui/app/elements/shared/gr-dropdown/gr-dropdown.js
@@ -93,6 +93,7 @@
     },

     _computeRelativeURL(path) {
+if (path && /^\w+\:/.test(path)) { return path; }  // HACK DO NOT SUBMIT
       const host = window.location.host;
       return this._computeURLHelper(host, path);
     },

Change-Id: I38bfa124abd4fb35972833f29fc1664ec2404e34

WORKSPACE

@@ -1100,6 +1100,13 @@ bower_archive(
     version = "1.9.1",
 )
 
+bower_archive(
+    name = "polymer-resin",
+    package = "polymer/polymer-resin",
+    sha1 = "d759c8c09054a7ec04608a6cb586801c904f79a2",
+    version = "1.2.6-beta",
+)
+
 bower_archive(
     name = "promise-polyfill",
     package = "polymerlabs/promise-polyfill",

gerrit-httpd/src/main/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy

@@ -44,6 +44,12 @@
   <link rel="stylesheet" href="{$staticResourcePath}/styles/fonts.css">{\n}
   <link rel="stylesheet" href="{$staticResourcePath}/styles/main.css">{\n}
   <script src="{$staticResourcePath}/bower_components/webcomponentsjs/webcomponents-lite.js"></script>{\n}
+  // Content between webcomponents-lite and the load of the main app element
+  // run before polymer-resin is installed so may have security consequences.
+  // Contact your local security engineer if you have any questions, and
+  // CC them on any changes that load content before gr-app.html.
+  //
+  // github.com/Polymer/polymer-resin/blob/master/getting-started.md#integrating
   <link rel="preload" href="{$staticResourcePath}/elements/gr-app.js" as="script" crossorigin="anonymous">{\n}
   <link rel="import" href="{$staticResourcePath}/elements/gr-app.html">{\n}
 

lib/js/bower_components.bzl

@@ -173,6 +173,15 @@ def define_bower_components():
     deps = [ ":webcomponentsjs" ],
     seed = True,
   )
+  bower_component(
+    name = "polymer-resin",
+    license = "//lib:LICENSE-polymer",
+    deps = [
+      ":polymer",
+      ":webcomponentsjs",
+    ],
+    seed = True,
+  )
   bower_component(
     name = "promise-polyfill",
     license = "//lib:LICENSE-promise-polyfill",

polygerrit-ui/BUILD

@@ -21,6 +21,7 @@ bower_component_bundle(
         "//lib/js:moment",
         "//lib/js:page",
         "//lib/js:polymer",
+        "//lib/js:polymer-resin",
         "//lib/js:promise-polyfill",
     ],
 )

polygerrit-ui/app/elements/gr-app.html

@@ -15,6 +15,13 @@ limitations under the License.
 -->
 
 <link rel="import" href="../bower_components/polymer/polymer.html">
+<link rel="import" href="../bower_components/polymer-resin/standalone/polymer-resin.html">
+<script>
+  security.polymer_resin.install({
+    allowedIdentifierPrefixes: [''],
+    reportHandler: security.polymer_resin.CONSOLE_LOGGING_REPORT_HANDLER,
+  });
+</script>
 
 <link rel="import" href="./admin/gr-admin-view/gr-admin-view.html">
 <link rel="import" href="./change-list/gr-change-list-view/gr-change-list-view.html">

polygerrit-ui/app/index.html

@@ -29,6 +29,14 @@ RobotoMono fonts are used in styles/fonts.css
 <link rel="stylesheet" href="/styles/fonts.css">
 <link rel="stylesheet" href="/styles/main.css">
 <script src="/bower_components/webcomponentsjs/webcomponents-lite.js"></script>
+<!--
+  - Content between webcomponents-lite and the load of the main app element
+  - run before polymer-resin is installed so may have security consequences.
+  - Contact your local security engineer if you have any questions, and
+  - CC them on any changes that load content before gr-app.html.
+  -
+  - github.com/Polymer/polymer-resin/blob/master/getting-started.md#integrating
+  -->
 <link rel="preload" href="/elements/gr-app.js" as="script" crossorigin="anonymous">
 <link rel="import" href="/elements/gr-app.html">
 

polygerrit-ui/app/test/common-test-setup.html

@@ -15,5 +15,24 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 
-<link rel="import" href="../bower_components/iron-test-helpers/iron-test-helpers.html" />
+<link rel="import"
+    href="../bower_components/polymer-resin/standalone/polymer-resin.html" />
+<script>
+  security.polymer_resin.install({
+    allowedIdentifierPrefixes: [''],
+    reportHandler(isViolation, fmt, ...args) {
+      const log = security.polymer_resin.CONSOLE_LOGGING_REPORT_HANDLER;
+      log(isViolation, fmt, ...args);
+      if (isViolation) {
+        // This will cause the test to fail if there is a data binding
+        // violation.
+        throw new Error(
+            'polymer-resin violation: ' + fmt
+            + JSON.stringify(args));
+      }
+    },
+  });
+</script>
+<link rel="import"
+    href="../bower_components/iron-test-helpers/iron-test-helpers.html" />
 <link rel="import" href="test-router.html" />