Prevent single-app kiosk mode auto-launch if device is disabled

If a device is disabled, it should show the disabled screen and not
start any sessions. Regular sessions, auto-launch for public sessions
and auto-launch for consumer kiosk mode respected this. Auto-launch
for enterprise kiosk mode takes a different code path that had
slipped through the cracks. The effect was that single-app kiosk mode
would auto-launch even if a device was disabled.

BUG=454005
TEST=New browser test

Review URL: https://codereview.chromium.org/882043006

Cr-Commit-Position: refs/heads/master@{#314330}

chrome/browser/chromeos/login/kiosk_browsertest.cc

@@ -9,12 +9,16 @@
 #include "base/bind_helpers.h"
 #include "base/files/file_util.h"
 #include "base/location.h"
+#include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/path_service.h"
 #include "base/prefs/pref_service.h"
+#include "base/run_loop.h"
+#include "base/single_thread_task_runner.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/synchronization/lock.h"
+#include "base/thread_task_runner_handle.h"
 #include "chrome/browser/chrome_notification_types.h"
 #include "chrome/browser/chromeos/app_mode/fake_cws.h"
 #include "chrome/browser/chromeos/app_mode/kiosk_app_launch_error.h"
@@ -25,6 +29,8 @@
 #include "chrome/browser/chromeos/login/test/app_window_waiter.h"
 #include "chrome/browser/chromeos/login/test/oobe_base_test.h"
 #include "chrome/browser/chromeos/login/test/oobe_screen_waiter.h"
+#include "chrome/browser/chromeos/login/ui/login_display_host.h"
+#include "chrome/browser/chromeos/login/ui/login_display_host_impl.h"
 #include "chrome/browser/chromeos/login/users/fake_user_manager.h"
 #include "chrome/browser/chromeos/login/users/mock_user_manager.h"
 #include "chrome/browser/chromeos/login/users/scoped_user_manager_enabler.h"
@@ -32,6 +38,7 @@
 #include "chrome/browser/chromeos/policy/device_policy_cros_browser_test.h"
 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
+#include "chrome/browser/chromeos/settings/cros_settings.h"
 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"
 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"
 #include "chrome/browser/chromeos/settings/device_settings_service.h"
@@ -47,6 +54,7 @@
 #include "chromeos/chromeos_switches.h"
 #include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/disks/disk_mount_manager.h"
+#include "chromeos/settings/cros_settings_provider.h"
 #include "components/signin/core/browser/signin_manager.h"
 #include "components/signin/core/common/signin_pref_names.h"
 #include "content/public/browser/browser_thread.h"
@@ -395,6 +403,68 @@ class AppDataLoadWaiter : public KioskAppManagerObserver {
   DISALLOW_COPY_AND_ASSIGN(AppDataLoadWaiter);
 };
 
+class CrosSettingsPermanentlyUntrustedMaker :
+    public DeviceSettingsService::Observer {
+ public:
+  CrosSettingsPermanentlyUntrustedMaker();
+
+  // DeviceSettingsService::Observer:
+  void OwnershipStatusChanged() override;
+  void DeviceSettingsUpdated() override;
+  void OnDeviceSettingsServiceShutdown() override;
+
+ private:
+  bool untrusted_check_running_;
+  base::RunLoop run_loop_;
+
+  void CheckIfUntrusted();
+
+  DISALLOW_COPY_AND_ASSIGN(CrosSettingsPermanentlyUntrustedMaker);
+};
+
+CrosSettingsPermanentlyUntrustedMaker::CrosSettingsPermanentlyUntrustedMaker()
+    : untrusted_check_running_(false) {
+  DeviceSettingsService::Get()->AddObserver(this);
+
+  policy::DevicePolicyCrosTestHelper().InstallOwnerKey();
+  DeviceSettingsService::Get()->OwnerKeySet(true);
+
+  run_loop_.Run();
+}
+
+void CrosSettingsPermanentlyUntrustedMaker::OwnershipStatusChanged() {
+  if (untrusted_check_running_)
+    return;
+
+  base::ThreadTaskRunnerHandle::Get()->PostTask(
+      FROM_HERE,
+      base::Bind(&CrosSettingsPermanentlyUntrustedMaker::CheckIfUntrusted,
+                 base::Unretained(this)));
+}
+
+void CrosSettingsPermanentlyUntrustedMaker::DeviceSettingsUpdated() {
+}
+
+void CrosSettingsPermanentlyUntrustedMaker::OnDeviceSettingsServiceShutdown() {
+}
+
+void CrosSettingsPermanentlyUntrustedMaker::CheckIfUntrusted() {
+  untrusted_check_running_ = true;
+  const CrosSettingsProvider::TrustedStatus trusted_status =
+      CrosSettings::Get()->PrepareTrustedValues(
+          base::Bind(&CrosSettingsPermanentlyUntrustedMaker::CheckIfUntrusted,
+                     base::Unretained(this)));
+  if (trusted_status == CrosSettingsProvider::TEMPORARILY_UNTRUSTED)
+    return;
+  untrusted_check_running_ = false;
+
+  if (trusted_status == CrosSettingsProvider::TRUSTED)
+    return;
+
+  DeviceSettingsService::Get()->RemoveObserver(this);
+  run_loop_.Quit();
+}
+
 }  // namespace
 
 class KioskTest : public OobeBaseTest {
@@ -703,11 +773,6 @@ class KioskTest : public OobeBaseTest {
     return auto_lock.Pass();
   }
 
-  void MakeCrosSettingsPermanentlyUntrusted() {
-    policy::DevicePolicyCrosTestHelper().InstallOwnerKey();
-    DeviceSettingsService::Get()->OwnerKeySet(true);
-  }
-
   MockUserManager* mock_user_manager() { return mock_user_manager_.get(); }
 
   void set_test_app_id(const std::string& test_app_id) {
@@ -1135,7 +1200,7 @@ IN_PROC_BROWSER_TEST_F(KioskTest, DoNotLaunchWhenUntrusted) {
   SimulateNetworkOnline();
 
   // Make cros settings untrusted.
-  MakeCrosSettingsPermanentlyUntrusted();
+  CrosSettingsPermanentlyUntrustedMaker();
 
   // Check that the attempt to start a kiosk app fails with an error.
   LaunchApp(test_app_id(), false);
@@ -1153,7 +1218,9 @@ IN_PROC_BROWSER_TEST_F(KioskTest, DoNotLaunchWhenUntrusted) {
       &ignored));
 }
 
-IN_PROC_BROWSER_TEST_F(KioskTest, NoAutoLaunchWhenUntrusted) {
+// Verifies that a consumer device does not auto-launch kiosk mode when cros
+// settings are untrusted.
+IN_PROC_BROWSER_TEST_F(KioskTest, NoConsumerAutoLaunchWhenUntrusted) {
   EnableConsumerKioskMode();
 
   // Wait for and confirm the auto-launch warning.
@@ -1172,12 +1239,32 @@ IN_PROC_BROWSER_TEST_F(KioskTest, NoAutoLaunchWhenUntrusted) {
       base::FundamentalValue(true));
 
   // Make cros settings untrusted.
-  MakeCrosSettingsPermanentlyUntrusted();
+  CrosSettingsPermanentlyUntrustedMaker();
 
   // Check that the attempt to auto-launch a kiosk app fails with an error.
   OobeScreenWaiter(OobeDisplay::SCREEN_ERROR_MESSAGE).Wait();
 }
 
+// Verifies that an enterprise device does not auto-launch kiosk mode when cros
+// settings are untrusted.
+IN_PROC_BROWSER_TEST_F(KioskTest, NoEnterpriseAutoLaunchWhenUntrusted) {
+  PrepareAppLaunch();
+  SimulateNetworkOnline();
+
+  // Make cros settings untrusted.
+  CrosSettingsPermanentlyUntrustedMaker();
+
+  // Trigger the code that handles auto-launch on enterprise devices. This would
+  // normally be called from ShowLoginWizard(), which runs so early that it is
+  // not to inject an auto-launch policy before it runs.
+  LoginDisplayHost* login_display_host = LoginDisplayHostImpl::default_host();
+  ASSERT_TRUE(login_display_host);
+  login_display_host->StartAppLaunch(test_app_id(), false);
+
+  // Check that no launch has started.
+  EXPECT_FALSE(login_display_host->GetAppLaunchController());
+}
+
 class KioskUpdateTest : public KioskTest {
  public:
   KioskUpdateTest() {}

chrome/browser/chromeos/login/ui/login_display_host_impl.cc

@@ -49,6 +49,8 @@
 #include "chrome/browser/chromeos/net/delay_network_call.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/policy/enrollment_config.h"
+#include "chrome/browser/chromeos/settings/cros_settings.h"
+#include "chrome/browser/chromeos/system/device_disabling_manager.h"
 #include "chrome/browser/chromeos/system/input_device_settings.h"
 #include "chrome/browser/chromeos/system/timezone_util.h"
 #include "chrome/browser/chromeos/ui/focus_ring_controller.h"
@@ -65,6 +67,8 @@
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/session_manager_client.h"
 #include "chromeos/login/login_state.h"
+#include "chromeos/settings/cros_settings_names.h"
+#include "chromeos/settings/cros_settings_provider.h"
 #include "chromeos/settings/timezone_settings.h"
 #include "chromeos/timezone/timezone_resolver.h"
 #include "components/session_manager/core/session_manager.h"
@@ -667,6 +671,35 @@ void LoginDisplayHostImpl::StartAppLaunch(const std::string& app_id,
                                           bool diagnostic_mode) {
   VLOG(1) << "Login WebUI >> start app launch.";
   SetStatusAreaVisible(false);
+
+  // Wait for the |CrosSettings| to become either trusted or permanently
+  // untrusted.
+  const CrosSettingsProvider::TrustedStatus status =
+      CrosSettings::Get()->PrepareTrustedValues(base::Bind(
+          &LoginDisplayHostImpl::StartAppLaunch,
+          pointer_factory_.GetWeakPtr(),
+          app_id,
+          diagnostic_mode));
+  if (status == CrosSettingsProvider::TEMPORARILY_UNTRUSTED)
+    return;
+
+  if (status == CrosSettingsProvider::PERMANENTLY_UNTRUSTED) {
+    // If the |CrosSettings| are permanently untrusted, refuse to launch a
+    // single-app kiosk mode session.
+    LOG(ERROR) << "Login WebUI >> Refusing to launch single-app kiosk mode.";
+    SetStatusAreaVisible(true);
+    return;
+  }
+
+  bool device_disabled = false;
+  CrosSettings::Get()->GetBoolean(kDeviceDisabled, &device_disabled);
+  if (device_disabled && system::DeviceDisablingManager::
+                             HonorDeviceDisablingDuringNormalOperation()) {
+    // If the device is disabled, bail out. A device disabled screen will be
+    // shown by the DeviceDisablingManager.
+    return;
+  }
+
   finalize_animation_type_ = ANIMATION_FADE_OUT;
   if (!login_window_)
     LoadURL(GURL(kAppLaunchSplashURL));