DLP: Support Warn in DlpRulesManager

- Added warn as one of the restriction levels, and add the required unittests. - Renamed the urls and patterns in the unittests to reduce confusion. Bug: 1169080 Change-Id: I806d1fb7aa8a4c94cd47b02e5be3a8636b2e26ca Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2642776 Commit-Queue: Aya Elsayed <ayaelattar@chromium.org> Reviewed-by: Sergey Poromov <poromov@chromium.org> Cr-Commit-Position: refs/heads/master@{#846038}

DLP: Support Warn in DlpRulesManager
- Added warn as one of the restriction levels, and add the required unittests. - Renamed the urls and patterns in the unittests to reduce confusion. Bug: 1169080 Change-Id: I806d1fb7aa8a4c94cd47b02e5be3a8636b2e26ca Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2642776 Commit-Queue: Aya Elsayed <ayaelattar@chromium.org> Reviewed-by: Sergey Poromov <poromov@chromium.org> Cr-Commit-Position: refs/heads/master@{#846038}
113777ba · Aya ElAttar · Chromium LUCI CQ · 3d1a3f3e · 113777ba · 113777ba
Commit 113777ba authored Jan 22, 2021 by Aya ElAttar Committed by Chromium LUCI CQ Jan 22, 2021
4 changed files
--- a/chrome/browser/chromeos/policy/dlp/dlp_policy_constants.h
+++ b/chrome/browser/chromeos/policy/dlp/dlp_policy_constants.h
@@ -23,6 +23,7 @@ constexpr char kPluginVm[] = "PLUGIN_VM";
 constexpr char kAllowLevel[] = "ALLOW";
 constexpr char kBlockLevel[] = "BLOCK";
+constexpr char kWarnLevel[] = "WARN";
 }  // namespace dlp

--- a/chrome/browser/chromeos/policy/dlp/dlp_rules_manager.h
+++ b/chrome/browser/chromeos/policy/dlp/dlp_rules_manager.h
@@ -48,7 +48,8 @@ class DlpRulesManager : public KeyedService {
    kNotSet,  // Restriction level is not set.
    kBlock,   // Sets the restriction level to block the user on every action.
    kAllow,   // Sets the restriction level to allow (no restriction).
-    kMaxValue = kAllow
+    kWarn,    // Sets the restriction level to warn the user on every action.
+    kMaxValue = kWarn
  };
  ~DlpRulesManager() override = default;

--- a/chrome/browser/chromeos/policy/dlp/dlp_rules_manager_impl.cc
+++ b/chrome/browser/chromeos/policy/dlp/dlp_rules_manager_impl.cc
@@ -52,7 +52,8 @@ DlpRulesManager::Level GetLevelMapping(const std::string& level) {
  static constexpr auto kLevelsMap =
      base::MakeFixedFlatMap<base::StringPiece, DlpRulesManager::Level>(
          {{dlp::kAllowLevel, DlpRulesManager::Level::kAllow},
-           {dlp::kBlockLevel, DlpRulesManager::Level::kBlock}});
+           {dlp::kBlockLevel, DlpRulesManager::Level::kBlock},
+           {dlp::kWarnLevel, DlpRulesManager::Level::kWarn}});
  auto* it = kLevelsMap.find(level);
  return (it == kLevelsMap.end()) ? DlpRulesManager::Level::kNotSet
                                  : it->second;
@@ -75,8 +76,9 @@ uint8_t GetPriorityMapping(const DlpRulesManager::Level level) {
  static constexpr auto kPrioritiesMap =
      base::MakeFixedFlatMap<DlpRulesManager::Level, uint8_t>(
          {{DlpRulesManager::Level::kNotSet, 0},
-           {DlpRulesManager::Level::kBlock, 1},
+           {DlpRulesManager::Level::kWarn, 1},
-           {DlpRulesManager::Level::kAllow, 2}});
+           {DlpRulesManager::Level::kBlock, 2},
+           {DlpRulesManager::Level::kAllow, 3}});
  return kPrioritiesMap.at(level);
 }

--- a/chrome/browser/chromeos/policy/dlp/dlp_rules_manager_impl_unittest.cc
+++ b/chrome/browser/chromeos/policy/dlp/dlp_rules_manager_impl_unittest.cc
@@ -24,25 +24,27 @@ namespace policy {
 namespace {
-constexpr char kUrlStr1[] = "https://wwww.example.com";
+constexpr char kExampleUrl[] = "https://wwww.example.com";
-constexpr char kUrlStr2[] = "https://wwww.google.com";
+constexpr char kGoogleUrl[] = "https://wwww.google.com";
-constexpr char kUrlStr3[] = "*";
+constexpr char kWildCardMatching[] = "*";
-constexpr char kUrlStr4[] = "https://www.gmail.com";
+constexpr char kGmailUrl[] = "https://www.gmail.com";
 constexpr char kHttpsPrefix[] = "https://www.";
-constexpr char kUrlPattern1[] = "chat.google.com";
+constexpr char kChatPattern[] = "chat.google.com";
-constexpr char kUrlPattern2[] = "salesforce.com";
+constexpr char kSalesforcePattern[] = "salesforce.com";
-constexpr char kUrlPattern3[] = "docs.google.com";
+constexpr char kDocsPattern[] = "docs.google.com";
-constexpr char kUrlPattern4[] = "drive.google.com";
+constexpr char kDrivePattern[] = "drive.google.com";
-constexpr char kUrlPattern5[] = "*.company.com";
+constexpr char kCompanyPattern[] = "*.company.com";
+constexpr char kGooglePatten[] = "google.com";
+constexpr char kMailPattern[] = "mail.google.com";
 base::Value GenerateClipboardCopyDisallowedRule() {
  base::Value rules(base::Value::Type::LIST);
  base::Value src_urls(base::Value::Type::LIST);
-  src_urls.Append(kUrlStr1);
+  src_urls.Append(kExampleUrl);
  base::Value dst_urls(base::Value::Type::LIST);
-  dst_urls.Append(kUrlStr3);
+  dst_urls.Append(kWildCardMatching);
  base::Value restrictions(base::Value::Type::LIST);
  restrictions.Append(dlp_test_util::CreateRestrictionWithLevel(
      dlp::kClipboardRestriction, dlp::kBlockLevel));
@@ -78,22 +80,22 @@ TEST_F(DlpRulesManagerImplTest, EmptyPref) {
  EXPECT_EQ(DlpRulesManager::Level::kAllow,
            dlp_rules_manager_.IsRestricted(
-                GURL(kUrlStr1), DlpRulesManager::Restriction::kPrinting));
+                GURL(kExampleUrl), DlpRulesManager::Restriction::kPrinting));
  EXPECT_EQ(DlpRulesManager::Level::kAllow,
            dlp_rules_manager_.IsRestrictedDestination(
-                GURL(kUrlStr1), GURL(kUrlStr2),
+                GURL(kExampleUrl), GURL(kGoogleUrl),
                DlpRulesManager::Restriction::kClipboard));
 }
-TEST_F(DlpRulesManagerImplTest, IsRestricted_LevelPrecedence) {
+TEST_F(DlpRulesManagerImplTest, BlockPriority) {
  base::Value rules(base::Value::Type::LIST);
  // First Rule
  base::Value src_urls_1(base::Value::Type::LIST);
-  src_urls_1.Append(kUrlStr1);
+  src_urls_1.Append(kExampleUrl);
  base::Value dst_urls_1(base::Value::Type::LIST);
-  dst_urls_1.Append(kUrlStr3);
+  dst_urls_1.Append(kWildCardMatching);
  base::Value restrictions_1(base::Value::Type::LIST);
  restrictions_1.Append(dlp_test_util::CreateRestrictionWithLevel(
@@ -108,10 +110,10 @@ TEST_F(DlpRulesManagerImplTest, IsRestricted_LevelPrecedence) {
  // Second Rule
  base::Value src_urls_2(base::Value::Type::LIST);
-  src_urls_2.Append(kUrlStr1);
+  src_urls_2.Append(kExampleUrl);
  base::Value dst_urls_2(base::Value::Type::LIST);
-  dst_urls_2.Append(kUrlStr2);
+  dst_urls_2.Append(kGoogleUrl);
  base::Value restrictions_2(base::Value::Type::LIST);
  restrictions_2.Append(dlp_test_util::CreateRestrictionWithLevel(
@@ -126,34 +128,34 @@ TEST_F(DlpRulesManagerImplTest, IsRestricted_LevelPrecedence) {
  EXPECT_EQ(DlpRulesManager::Level::kAllow,
            dlp_rules_manager_.IsRestrictedDestination(
-                GURL(kUrlStr1), GURL(kUrlStr2),
+                GURL(kExampleUrl), GURL(kGoogleUrl),
                DlpRulesManager::Restriction::kClipboard));
  EXPECT_EQ(DlpRulesManager::Level::kBlock,
            dlp_rules_manager_.IsRestrictedDestination(
-                GURL(kUrlStr1), GURL(kUrlStr4),
+                GURL(kExampleUrl), GURL(kGmailUrl),
                DlpRulesManager::Restriction::kClipboard));
  EXPECT_EQ(DlpRulesManager::Level::kBlock,
            dlp_rules_manager_.IsRestricted(
-                GURL(kUrlStr1), DlpRulesManager::Restriction::kScreenshot));
+                GURL(kExampleUrl), DlpRulesManager::Restriction::kScreenshot));
  // Clear pref
  UpdatePolicyPref(base::Value(base::Value::Type::LIST));
  EXPECT_EQ(DlpRulesManager::Level::kAllow,
            dlp_rules_manager_.IsRestrictedDestination(
-                GURL(kUrlStr1), GURL(kUrlStr2),
+                GURL(kExampleUrl), GURL(kGoogleUrl),
                DlpRulesManager::Restriction::kClipboard));
  EXPECT_EQ(DlpRulesManager::Level::kAllow,
            dlp_rules_manager_.IsRestrictedDestination(
-                GURL(kUrlStr1), GURL(kUrlStr4),
+                GURL(kExampleUrl), GURL(kGmailUrl),
                DlpRulesManager::Restriction::kClipboard));
  EXPECT_EQ(DlpRulesManager::Level::kAllow,
            dlp_rules_manager_.IsRestricted(
-                GURL(kUrlStr1), DlpRulesManager::Restriction::kScreenshot));
+                GURL(kExampleUrl), DlpRulesManager::Restriction::kScreenshot));
 }
 TEST_F(DlpRulesManagerImplTest, UpdatePref) {
@@ -161,7 +163,7 @@ TEST_F(DlpRulesManagerImplTest, UpdatePref) {
  base::Value rules_1(base::Value::Type::LIST);
  base::Value src_urls_1(base::Value::Type::LIST);
-  src_urls_1.Append(kUrlStr1);
+  src_urls_1.Append(kExampleUrl);
  base::Value restrictions_1(base::Value::Type::LIST);
  restrictions_1.Append(dlp_test_util::CreateRestrictionWithLevel(
@@ -176,13 +178,13 @@ TEST_F(DlpRulesManagerImplTest, UpdatePref) {
  EXPECT_EQ(DlpRulesManager::Level::kBlock,
            dlp_rules_manager_.IsRestricted(
-                GURL(kUrlStr1), DlpRulesManager::Restriction::kScreenshot));
+                GURL(kExampleUrl), DlpRulesManager::Restriction::kScreenshot));
  // Second DLP rule
  base::Value rules_2(base::Value::Type::LIST);
  base::Value src_urls_2(base::Value::Type::LIST);
-  src_urls_2.Append(kUrlStr2);
+  src_urls_2.Append(kGoogleUrl);
  base::Value restrictions_2(base::Value::Type::LIST);
  restrictions_2.Append(dlp_test_util::CreateRestrictionWithLevel(
@@ -197,17 +199,17 @@ TEST_F(DlpRulesManagerImplTest, UpdatePref) {
  EXPECT_EQ(DlpRulesManager::Level::kAllow,
            dlp_rules_manager_.IsRestricted(
-                GURL(kUrlStr1), DlpRulesManager::Restriction::kScreenshot));
+                GURL(kExampleUrl), DlpRulesManager::Restriction::kScreenshot));
  EXPECT_EQ(DlpRulesManager::Level::kBlock,
            dlp_rules_manager_.IsRestricted(
-                GURL(kUrlStr2), DlpRulesManager::Restriction::kScreenshot));
+                GURL(kGoogleUrl), DlpRulesManager::Restriction::kScreenshot));
 }
 TEST_F(DlpRulesManagerImplTest, IsRestrictedComponent_Clipboard) {
  base::Value rules(base::Value::Type::LIST);
  base::Value src_urls(base::Value::Type::LIST);
-  src_urls.Append(kUrlStr1);
+  src_urls.Append(kExampleUrl);
  base::Value dst_components(base::Value::Type::LIST);
  dst_components.Append("ARC");
@@ -224,11 +226,11 @@ TEST_F(DlpRulesManagerImplTest, IsRestrictedComponent_Clipboard) {
  EXPECT_EQ(DlpRulesManager::Level::kBlock,
            dlp_rules_manager_.IsRestrictedComponent(
-                GURL(kUrlStr1), DlpRulesManager::Component::kArc,
+                GURL(kExampleUrl), DlpRulesManager::Component::kArc,
                DlpRulesManager::Restriction::kClipboard));
  EXPECT_EQ(DlpRulesManager::Level::kAllow,
            dlp_rules_manager_.IsRestrictedComponent(
-                GURL(kUrlStr1), DlpRulesManager::Component::kCrostini,
+                GURL(kExampleUrl), DlpRulesManager::Component::kCrostini,
                DlpRulesManager::Restriction::kClipboard));
 }
@@ -239,7 +241,7 @@ TEST_F(DlpRulesManagerImplTest, SameSrcDst_Clipboard) {
  EXPECT_EQ(DlpRulesManager::Level::kAllow,
            dlp_rules_manager_.IsRestrictedDestination(
-                GURL(kUrlStr1), GURL(kUrlStr1),
+                GURL(kExampleUrl), GURL(kExampleUrl),
                DlpRulesManager::Restriction::kClipboard));
 }
@@ -248,10 +250,10 @@ TEST_F(DlpRulesManagerImplTest, EmptyUrl_Clipboard) {
  // Second Rule
  base::Value src_urls_2(base::Value::Type::LIST);
-  src_urls_2.Append(kUrlStr4);
+  src_urls_2.Append(kGmailUrl);
  base::Value dst_urls_2(base::Value::Type::LIST);
-  dst_urls_2.Append(kUrlStr2);
+  dst_urls_2.Append(kGoogleUrl);
  base::Value restrictions_2(base::Value::Type::LIST);
  restrictions_2.Append(dlp_test_util::CreateRestrictionWithLevel(
@@ -267,22 +269,22 @@ TEST_F(DlpRulesManagerImplTest, EmptyUrl_Clipboard) {
  EXPECT_EQ(
      DlpRulesManager::Level::kBlock,
      dlp_rules_manager_.IsRestrictedDestination(
-          GURL(kUrlStr1), GURL(), DlpRulesManager::Restriction::kClipboard));
+          GURL(kExampleUrl), GURL(), DlpRulesManager::Restriction::kClipboard));
  EXPECT_EQ(
      DlpRulesManager::Level::kAllow,
      dlp_rules_manager_.IsRestrictedDestination(
-          GURL(kUrlStr4), GURL(), DlpRulesManager::Restriction::kClipboard));
+          GURL(kGmailUrl), GURL(), DlpRulesManager::Restriction::kClipboard));
 }
 TEST_F(DlpRulesManagerImplTest, IsRestricted_MultipleURLs) {
  base::Value rules(base::Value::Type::LIST);
  base::Value src_urls_1(base::Value::Type::LIST);
-  src_urls_1.Append(kUrlPattern1);
+  src_urls_1.Append(kChatPattern);
-  src_urls_1.Append(kUrlPattern2);
+  src_urls_1.Append(kSalesforcePattern);
-  src_urls_1.Append(kUrlPattern3);
+  src_urls_1.Append(kDocsPattern);
-  src_urls_1.Append(kUrlPattern4);
+  src_urls_1.Append(kDrivePattern);
-  src_urls_1.Append(kUrlPattern5);
+  src_urls_1.Append(kCompanyPattern);
  base::Value dst_urls_1 = src_urls_1.Clone();
  base::Value src_urls_2 = src_urls_1.Clone();
@@ -298,7 +300,7 @@ TEST_F(DlpRulesManagerImplTest, IsRestricted_MultipleURLs) {
      std::move(restrictions_1)));
  base::Value dst_urls_2(base::Value::Type::LIST);
-  dst_urls_2.Append(kUrlStr3);
+  dst_urls_2.Append(kWildCardMatching);
  base::Value restrictions_2(base::Value::Type::LIST);
  restrictions_2.Append(dlp_test_util::CreateRestrictionWithLevel(
@@ -315,41 +317,41 @@ TEST_F(DlpRulesManagerImplTest, IsRestricted_MultipleURLs) {
  EXPECT_EQ(DlpRulesManager::Level::kAllow,
            dlp_rules_manager_.IsRestrictedDestination(
-                GURL(base::StrCat({kHttpsPrefix, kUrlPattern1})),
+                GURL(base::StrCat({kHttpsPrefix, kChatPattern})),
-                GURL(base::StrCat({kHttpsPrefix, kUrlPattern2})),
+                GURL(base::StrCat({kHttpsPrefix, kSalesforcePattern})),
                DlpRulesManager::Restriction::kClipboard));
  EXPECT_EQ(DlpRulesManager::Level::kAllow,
            dlp_rules_manager_.IsRestrictedDestination(
-                GURL(base::StrCat({kHttpsPrefix, kUrlPattern3})),
+                GURL(base::StrCat({kHttpsPrefix, kDocsPattern})),
-                GURL(base::StrCat({kHttpsPrefix, kUrlPattern4})),
+                GURL(base::StrCat({kHttpsPrefix, kDrivePattern})),
                DlpRulesManager::Restriction::kClipboard));
  EXPECT_EQ(DlpRulesManager::Level::kAllow,
            dlp_rules_manager_.IsRestrictedDestination(
-                GURL(base::StrCat({kHttpsPrefix, kUrlPattern5})),
+                GURL(base::StrCat({kHttpsPrefix, kCompanyPattern})),
-                GURL(base::StrCat({kHttpsPrefix, kUrlPattern2})),
+                GURL(base::StrCat({kHttpsPrefix, kSalesforcePattern})),
                DlpRulesManager::Restriction::kClipboard));
  EXPECT_EQ(DlpRulesManager::Level::kAllow,
            dlp_rules_manager_.IsRestrictedDestination(
-                GURL(base::StrCat({kHttpsPrefix, kUrlPattern2})),
+                GURL(base::StrCat({kHttpsPrefix, kSalesforcePattern})),
-                GURL(base::StrCat({kHttpsPrefix, kUrlPattern3})),
+                GURL(base::StrCat({kHttpsPrefix, kDocsPattern})),
                DlpRulesManager::Restriction::kClipboard));
  EXPECT_EQ(DlpRulesManager::Level::kBlock,
            dlp_rules_manager_.IsRestrictedDestination(
-                GURL(base::StrCat({kHttpsPrefix, kUrlPattern1})),
+                GURL(base::StrCat({kHttpsPrefix, kChatPattern})),
-                GURL(kUrlStr2), DlpRulesManager::Restriction::kClipboard));
+                GURL(kGoogleUrl), DlpRulesManager::Restriction::kClipboard));
  EXPECT_EQ(DlpRulesManager::Level::kBlock,
            dlp_rules_manager_.IsRestrictedDestination(
-                GURL(base::StrCat({kHttpsPrefix, kUrlPattern2})),
+                GURL(base::StrCat({kHttpsPrefix, kSalesforcePattern})),
-                GURL(kUrlStr1), DlpRulesManager::Restriction::kClipboard));
+                GURL(kExampleUrl), DlpRulesManager::Restriction::kClipboard));
  EXPECT_EQ(DlpRulesManager::Level::kBlock,
            dlp_rules_manager_.IsRestrictedDestination(
-                GURL(base::StrCat({kHttpsPrefix, kUrlPattern3})),
+                GURL(base::StrCat({kHttpsPrefix, kDocsPattern})),
-                GURL(kUrlStr2), DlpRulesManager::Restriction::kClipboard));
+                GURL(kGoogleUrl), DlpRulesManager::Restriction::kClipboard));
  EXPECT_EQ(DlpRulesManager::Level::kBlock,
            dlp_rules_manager_.IsRestrictedDestination(
-                GURL(base::StrCat({kHttpsPrefix, kUrlPattern4})),
+                GURL(base::StrCat({kHttpsPrefix, kDrivePattern})),
-                GURL(kUrlStr1), DlpRulesManager::Restriction::kClipboard));
+                GURL(kExampleUrl), DlpRulesManager::Restriction::kClipboard));
 }
 TEST_F(DlpRulesManagerImplTest, DisabledByFeature) {
@@ -359,11 +361,11 @@ TEST_F(DlpRulesManagerImplTest, DisabledByFeature) {
  EXPECT_EQ(DlpRulesManager::Level::kBlock,
            dlp_rules_manager_.IsRestrictedDestination(
-                GURL(kUrlStr1), GURL(kUrlStr3),
+                GURL(kExampleUrl), GURL(kWildCardMatching),
                DlpRulesManager::Restriction::kClipboard));
  EXPECT_EQ(DlpRulesManager::Level::kBlock,
            dlp_rules_manager_.IsRestricted(
-                GURL(kUrlStr1), DlpRulesManager::Restriction::kScreenshot));
+                GURL(kExampleUrl), DlpRulesManager::Restriction::kScreenshot));
  // Disable feature
  base::test::ScopedFeatureList scoped_feature_list;
@@ -373,11 +375,87 @@ TEST_F(DlpRulesManagerImplTest, DisabledByFeature) {
  EXPECT_EQ(DlpRulesManager::Level::kAllow,
            dlp_rules_manager_.IsRestrictedDestination(
-                GURL(kUrlStr1), GURL(kUrlStr3),
+                GURL(kExampleUrl), GURL(kWildCardMatching),
                DlpRulesManager::Restriction::kClipboard));
  EXPECT_EQ(DlpRulesManager::Level::kAllow,
            dlp_rules_manager_.IsRestricted(
-                GURL(kUrlStr1), DlpRulesManager::Restriction::kScreenshot));
+                GURL(kExampleUrl), DlpRulesManager::Restriction::kScreenshot));
+}
+TEST_F(DlpRulesManagerImplTest, WarnPriority) {
+  base::Value rules(base::Value::Type::LIST);
+  // First Rule
+  base::Value src_urls_1(base::Value::Type::LIST);
+  src_urls_1.Append(kGooglePatten);
+  base::Value dst_urls_1(base::Value::Type::LIST);
+  dst_urls_1.Append(kWildCardMatching);
+  base::Value restrictions_1(base::Value::Type::LIST);
+  restrictions_1.Append(dlp_test_util::CreateRestrictionWithLevel(
+      dlp::kClipboardRestriction, dlp::kWarnLevel));
+  rules.Append(dlp_test_util::CreateRule(
+      "rule #1", "Warn on every copy from google.com", std::move(src_urls_1),
+      std::move(dst_urls_1),
+      /*dst_components=*/base::Value(base::Value::Type::LIST),
+      std::move(restrictions_1)));
+  // Second Rule
+  base::Value src_urls_2(base::Value::Type::LIST);
+  src_urls_2.Append(kDocsPattern);
+  src_urls_2.Append(kDrivePattern);
+  src_urls_2.Append(kMailPattern);
+  base::Value src_urls_3 = src_urls_2.Clone();
+  base::Value dst_urls_2(base::Value::Type::LIST);
+  dst_urls_2.Append(kWildCardMatching);
+  base::Value restrictions_2(base::Value::Type::LIST);
+  restrictions_2.Append(dlp_test_util::CreateRestrictionWithLevel(
+      dlp::kClipboardRestriction, dlp::kBlockLevel));
+  rules.Append(dlp_test_util::CreateRule(
+      "rule #2", "Block copy/paste from docs, drive, gmail",
+      std::move(src_urls_2), std::move(dst_urls_2),
+      /*dst_components=*/base::Value(base::Value::Type::LIST),
+      std::move(restrictions_2)));
+  // Third Rule
+  base::Value dst_urls_3 = src_urls_3.Clone();
+  base::Value restrictions_3(base::Value::Type::LIST);
+  restrictions_3.Append(dlp_test_util::CreateRestrictionWithLevel(
+      dlp::kClipboardRestriction, dlp::kAllowLevel));
+  rules.Append(dlp_test_util::CreateRule(
+      "rule #3", "Allow copy/paste inside docs, drive, gmail",
+      std::move(src_urls_3), std::move(dst_urls_3),
+      /*dst_components=*/base::Value(base::Value::Type::LIST),
+      std::move(restrictions_3)));
+  UpdatePolicyPref(std::move(rules));
+  // Copy/paste from chat.google to example.com should be warned.
+  EXPECT_EQ(DlpRulesManager::Level::kWarn,
+            dlp_rules_manager_.IsRestrictedDestination(
+                GURL(base::StrCat({kHttpsPrefix, kChatPattern})),
+                GURL(kExampleUrl), DlpRulesManager::Restriction::kClipboard));
+  // Copy/paste from docs to salesforce should be blocked.
+  EXPECT_EQ(DlpRulesManager::Level::kBlock,
+            dlp_rules_manager_.IsRestrictedDestination(
+                GURL(base::StrCat({kHttpsPrefix, kDocsPattern})),
+                GURL(base::StrCat({kHttpsPrefix, kSalesforcePattern})),
+                DlpRulesManager::Restriction::kClipboard));
+  // Copy/paste from docs to gmail should be allowed.
+  EXPECT_EQ(DlpRulesManager::Level::kAllow,
+            dlp_rules_manager_.IsRestrictedDestination(
+                GURL(base::StrCat({kHttpsPrefix, kDocsPattern})),
+                GURL(base::StrCat({kHttpsPrefix, kMailPattern})),
+                DlpRulesManager::Restriction::kClipboard));
 }
 }  // namespace policy