DLP: Add feature to disable DLP policy parsing and applying.

Adding a feature flag that is disabled by default as the behavior even though it is anyway gated on the presence of the policy. For now we'll enable it via Finch flag configuration for all users. However, we need to have ability to turn the feature off on older builds later when the policy will be released to public - otherwise these devices with older build will have unwanted experience. Bug: 1131067 Test: New unit test added. Change-Id: Ia29f053f4128d67a2976e78a573f1ccda998f7c1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2428898Reviewed-by: Nikita Podguzov <nikitapodguzov@chromium.org> Reviewed-by: Aya Elsayed <ayaelattar@chromium.org> Commit-Queue: Sergey Poromov <poromov@chromium.org> Cr-Commit-Position: refs/heads/master@{#811977}

DLP: Add feature to disable DLP policy parsing and applying.
Adding a feature flag that is disabled by default as the behavior even though it is anyway gated on the presence of the policy. For now we'll enable it via Finch flag configuration for all users. However, we need to have ability to turn the feature off on older builds later when the policy will be released to public - otherwise these devices with older build will have unwanted experience. Bug: 1131067 Test: New unit test added. Change-Id: Ia29f053f4128d67a2976e78a573f1ccda998f7c1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2428898Reviewed-by: Nikita Podguzov <nikitapodguzov@chromium.org> Reviewed-by: Aya Elsayed <ayaelattar@chromium.org> Commit-Queue: Sergey Poromov <poromov@chromium.org> Cr-Commit-Position: refs/heads/master@{#811977}
038dde78 · Sergey Poromov · Commit Bot · d35cc136 · 038dde78 · 038dde78
Commit 038dde78 authored Sep 30, 2020 by Sergey Poromov Committed by Commit Bot Sep 30, 2020
5 changed files
--- a/chrome/browser/chromeos/policy/dlp/dlp_rules_manager.cc
+++ b/chrome/browser/chromeos/policy/dlp/dlp_rules_manager.cc
@@ -11,9 +11,11 @@
 #include <utility>
 #include "base/bind.h"
+#include "base/feature_list.h"
 #include "base/no_destructor.h"
 #include "base/values.h"
 #include "chrome/browser/browser_process.h"
+#include "chrome/common/chrome_features.h"
 #include "components/policy/core/browser/url_util.h"
 #include "components/policy/core/common/policy_pref_names.h"
 #include "components/prefs/pref_registry_simple.h"
@@ -246,6 +248,10 @@ void DlpRulesManager::OnPolicyUpdate() {
  src_url_matcher_ = std::make_unique<url_matcher::URLMatcher>();
  dst_url_matcher_ = std::make_unique<url_matcher::URLMatcher>();
+  if (!base::FeatureList::IsEnabled(features::kDataLeakPreventionPolicy)) {
+    return;
+  }
  const base::ListValue* rules_list =
      g_browser_process->local_state()->GetList(policy_prefs::kDlpRulesList);

--- a/chrome/browser/chromeos/policy/dlp/dlp_rules_manager_browsertest.cc
+++ b/chrome/browser/chromeos/policy/dlp/dlp_rules_manager_browsertest.cc
@@ -2,10 +2,12 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
+#include "base/test/scoped_feature_list.h"
 #include "base/values.h"
 #include "chrome/browser/chromeos/policy/dlp/dlp_rules_manager.h"
 #include "chrome/browser/chromeos/policy/dlp/dlp_rules_manager_test_utils.h"
 #include "chrome/browser/policy/policy_test_utils.h"
+#include "chrome/common/chrome_features.h"
 #include "components/policy/core/common/policy_map.h"
 #include "components/policy/policy_constants.h"
 #include "content/public/test/browser_test.h"
@@ -16,7 +18,16 @@ namespace {
 constexpr char kUrlStr1[] = "https://wwww.example.com";
 }
-class DlpRulesPolicyTest : public PolicyTest {};
+class DlpRulesPolicyTest : public PolicyTest {
+ public:
+  DlpRulesPolicyTest() {
+    scoped_feature_list_.InitAndEnableFeature(
+        features::kDataLeakPreventionPolicy);
+  }
+ private:
+  base::test::ScopedFeatureList scoped_feature_list_;
+};
 IN_PROC_BROWSER_TEST_F(DlpRulesPolicyTest, ParsePolicyPref) {
  base::Value rules(base::Value::Type::LIST);

--- a/chrome/browser/chromeos/policy/dlp/dlp_rules_manager_unittest.cc
+++ b/chrome/browser/chromeos/policy/dlp/dlp_rules_manager_unittest.cc
@@ -8,8 +8,10 @@
 #include <vector>
 #include "base/strings/strcat.h"
+#include "base/test/scoped_feature_list.h"
 #include "base/values.h"
 #include "chrome/browser/chromeos/policy/dlp/dlp_rules_manager_test_utils.h"
+#include "chrome/common/chrome_features.h"
 #include "chrome/test/base/scoped_testing_local_state.h"
 #include "chrome/test/base/testing_browser_process.h"
 #include "components/policy/core/common/policy_pref_names.h"
@@ -35,6 +37,24 @@ constexpr char kUrlPattern3[] = "docs.google.com";
 constexpr char kUrlPattern4[] = "drive.google.com";
 constexpr char kUrlPattern5[] = "*.company.com";
+base::Value GenerateClipboardCopyDisallowedRule() {
+  base::Value rules(base::Value::Type::LIST);
+  base::Value src_urls(base::Value::Type::LIST);
+  src_urls.Append(kUrlStr1);
+  base::Value dst_urls(base::Value::Type::LIST);
+  dst_urls.Append(kUrlStr3);
+  base::Value restrictions(base::Value::Type::LIST);
+  restrictions.Append(dlp_test_util::CreateRestrictionWithLevel(
+      dlp::kClipboardRestriction, dlp::kBlockLevel));
+  restrictions.Append(dlp_test_util::CreateRestrictionWithLevel(
+      dlp::kScreenshotRestriction, dlp::kBlockLevel));
+  rules.Append(dlp_test_util::CreateRule(
+      "rule #1", "Block", std::move(src_urls), std::move(dst_urls),
+      /*dst_components=*/base::Value(base::Value::Type::LIST),
+      std::move(restrictions)));
+  return rules;
+}
 }  // namespace
 class DlpRulesManagerTest : public testing::Test {
@@ -42,6 +62,9 @@ class DlpRulesManagerTest : public testing::Test {
  void SetUp() override {
    testing::Test::SetUp();
+    scoped_feature_list_.InitAndEnableFeature(
+        features::kDataLeakPreventionPolicy);
    DlpRulesManager::Init();
    dlp_rules_manager_ = DlpRulesManager::Get();
  }
@@ -58,6 +81,7 @@ class DlpRulesManagerTest : public testing::Test {
  }
  DlpRulesManager* dlp_rules_manager_;
+  base::test::ScopedFeatureList scoped_feature_list_;
 private:
  ScopedTestingLocalState testing_local_state_;
@@ -223,23 +247,7 @@ TEST_F(DlpRulesManagerTest, IsRestrictedComponent_Clipboard) {
 }
 TEST_F(DlpRulesManagerTest, SameSrcDst_Clipboard) {
-  base::Value rules(base::Value::Type::LIST);
+  base::Value rules = GenerateClipboardCopyDisallowedRule();
-  // First Rule
-  base::Value src_urls(base::Value::Type::LIST);
-  src_urls.Append(kUrlStr1);
-  base::Value dst_urls(base::Value::Type::LIST);
-  dst_urls.Append(kUrlStr3);
-  base::Value restrictions(base::Value::Type::LIST);
-  restrictions.Append(dlp_test_util::CreateRestrictionWithLevel(
-      dlp::kClipboardRestriction, dlp::kBlockLevel));
-  rules.Append(dlp_test_util::CreateRule(
-      "rule #1", "Block", std::move(src_urls), std::move(dst_urls),
-      /*dst_components=*/base::Value(base::Value::Type::LIST),
-      std::move(restrictions)));
  UpdatePolicyPref(std::move(rules));
@@ -250,25 +258,9 @@ TEST_F(DlpRulesManagerTest, SameSrcDst_Clipboard) {
 }
 TEST_F(DlpRulesManagerTest, EmptyUrl_Clipboard) {
-  base::Value rules(base::Value::Type::LIST);
+  base::Value rules = GenerateClipboardCopyDisallowedRule();
-  // First Rule
-  base::Value src_urls_1(base::Value::Type::LIST);
-  src_urls_1.Append(kUrlStr1);
-  base::Value dst_urls_1(base::Value::Type::LIST);
-  dst_urls_1.Append(kUrlStr3);
-  base::Value restrictions_1(base::Value::Type::LIST);
-  restrictions_1.Append(dlp_test_util::CreateRestrictionWithLevel(
-      dlp::kClipboardRestriction, dlp::kBlockLevel));
-  rules.Append(dlp_test_util::CreateRule(
-      "rule #1", "Block *", std::move(src_urls_1), std::move(dst_urls_1),
-      /*dst_components=*/base::Value(base::Value::Type::LIST),
-      std::move(restrictions_1)));
-  // First Rule
+  // Second Rule
  base::Value src_urls_2(base::Value::Type::LIST);
  src_urls_2.Append(kUrlStr4);
@@ -411,4 +403,32 @@ TEST_F(DlpRulesManagerTest, IsRestricted_MultipleURLs) {
                GURL(kUrlStr1), DlpRulesManager::Restriction::kClipboard));
 }
+TEST_F(DlpRulesManagerTest, DisabledByFeature) {
+  base::Value rules = GenerateClipboardCopyDisallowedRule();
+  UpdatePolicyPref(std::move(rules));
+  EXPECT_EQ(DlpRulesManager::Level::kBlock,
+            dlp_rules_manager_->IsRestrictedDestination(
+                GURL(kUrlStr1), GURL(kUrlStr3),
+                DlpRulesManager::Restriction::kClipboard));
+  EXPECT_EQ(DlpRulesManager::Level::kBlock,
+            dlp_rules_manager_->IsRestricted(
+                GURL(kUrlStr1), DlpRulesManager::Restriction::kScreenshot));
+  // Disable feature
+  scoped_feature_list_.Reset();
+  scoped_feature_list_.InitAndDisableFeature(
+      features::kDataLeakPreventionPolicy);
+  UpdatePolicyPref(std::move(rules));
+  EXPECT_EQ(DlpRulesManager::Level::kAllow,
+            dlp_rules_manager_->IsRestrictedDestination(
+                GURL(kUrlStr1), GURL(kUrlStr3),
+                DlpRulesManager::Restriction::kClipboard));
+  EXPECT_EQ(DlpRulesManager::Level::kAllow,
+            dlp_rules_manager_->IsRestricted(
+                GURL(kUrlStr1), DlpRulesManager::Restriction::kScreenshot));
+}
 }  // namespace policy
--- a/chrome/common/chrome_features.cc
+++ b/chrome/common/chrome_features.cc
@@ -201,6 +201,14 @@ const base::Feature kCryptohomeUserDataAuthKillswitch{
    "CryptohomeUserDataAuthKillswitch", base::FEATURE_DISABLED_BY_DEFAULT};
 #endif
+#if defined(OS_CHROMEOS)
+// Enables parsing and enforcing Data Leak Prevention policy rules that
+// restricts usage of some system features, e.g.clipboard, screenshot, etc.
+// for confidential content.
+const base::Feature kDataLeakPreventionPolicy{
+    "DataLeakPreventionPolicy", base::FEATURE_DISABLED_BY_DEFAULT};
+#endif
 #if defined(OS_CHROMEOS)
 // Enables passing additional user authentication in requests to DMServer
 // (policy fetch, status report upload).

--- a/chrome/common/chrome_features.h
+++ b/chrome/common/chrome_features.h
@@ -143,6 +143,11 @@ COMPONENT_EXPORT(CHROME_FEATURES)
 extern const base::Feature kCryptohomeUserDataAuthKillswitch;
 #endif
+#if defined(OS_CHROMEOS)
+COMPONENT_EXPORT(CHROME_FEATURES)
+extern const base::Feature kDataLeakPreventionPolicy;
+#endif
 #if defined(OS_CHROMEOS)
 COMPONENT_EXPORT(CHROME_FEATURES)
 extern const base::Feature kDMServerOAuthForChildUser;