Add policy logic to clipboard dlp controller

1. Changed EnterpriseClipboardDlpController logic
to be based on the policy logic in DlpRulesManager.
2. Added DlpRulesManager::IsAnyRestrcitedComponents
to decide if any component is restricted.

Bug: 1102332
Change-Id: Ib1abc64c71540cb431f94d4dfae44212ef8d3597
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2416451
Commit-Queue: Aya Elsayed <ayaelattar@chromium.org>
Reviewed-by: Sergey Poromov <poromov@chromium.org>
Cr-Commit-Position: refs/heads/master@{#810586}

chrome/browser/chromeos/policy/dlp/dlp_rules_manager.cc

@@ -96,6 +96,12 @@ DlpRulesManager::Level GetMaxLevel(const DlpRulesManager::Level& level_1,
                                                                    : level_2;
 }
 
+DlpRulesManager::Level GetMinLevel(const DlpRulesManager::Level& level_1,
+                                   const DlpRulesManager::Level& level_2) {
+  return GetPriorityMapping(level_1) < GetPriorityMapping(level_2) ? level_1
+                                                                   : level_2;
+}
+
 // A singleton instance of DlpRulesManager. Set from DlpRulesManager::Init().
 static DlpRulesManager* g_dlp_rules_manager = nullptr;
 
@@ -180,6 +186,18 @@ DlpRulesManager::Level DlpRulesManager::IsRestrictedComponent(
                                     components_rules_ids);
 }
 
+DlpRulesManager::Level DlpRulesManager::IsRestrictedAnyOfComponents(
+    const GURL& source,
+    const std::vector<Component>& destinations,
+    Restriction restriction) const {
+  Level min_level = Level::kAllow;
+  for (const auto& destination : destinations) {
+    min_level = GetMinLevel(
+        min_level, IsRestrictedComponent(source, destination, restriction));
+  }
+  return min_level;
+}
+
 DlpRulesManager::DlpRulesManager() {
   pref_change_registrar_.Init(g_browser_process->local_state());
   pref_change_registrar_.Add(

chrome/browser/chromeos/policy/dlp/dlp_rules_manager.h

@@ -110,6 +110,14 @@ class DlpRulesManager {
                               const Component& destination,
                               Restriction restriction) const;
 
+  // Returns the enforcement level for `restriction` given that data comes
+  // from `source` and requested to be shared to `destinations`. ALLOW is
+  // returned if there is not any restriction should be applied on any of the
+  // `destinations`. Requires `restriction` to be clipboard.
+  Level IsRestrictedAnyOfComponents(const GURL& source,
+                                    const std::vector<Component>& destinations,
+                                    Restriction restriction) const;
+
  private:
   friend class DlpRulesManagerTest;
 

chrome/browser/chromeos/policy/dlp/dlp_rules_manager_unittest.cc

@@ -5,6 +5,7 @@
 #include "chrome/browser/chromeos/policy/dlp/dlp_rules_manager.h"
 
 #include <string>
+#include <vector>
 
 #include "base/values.h"
 #include "chrome/browser/chromeos/policy/dlp/dlp_rules_manager_test_utils.h"
@@ -279,4 +280,40 @@ TEST_F(DlpRulesManagerTest, EmptyUrl_Clipboard) {
           GURL(kUrlStr4), GURL(), DlpRulesManager::Restriction::kClipboard));
 }
 
+TEST_F(DlpRulesManagerTest, IsRestrictedAnyOfComponents_Clipboard) {
+  base::Value rules(base::Value::Type::LIST);
+
+  // First Rule
+  base::Value src_urls(base::Value::Type::LIST);
+  src_urls.Append(kUrlStr1);
+
+  base::Value dst_urls(base::Value::Type::LIST);
+  dst_urls.Append(dlp::kPluginVm);
+
+  base::Value restrictions(base::Value::Type::LIST);
+  restrictions.Append(
+      CreateRestrictionWithLevel(dlp::kClipboardRestriction, dlp::kBlockLevel));
+
+  rules.Append(CreateRule("rule #1", "Block PluginVM", std::move(src_urls),
+                          base::Value(base::Value::Type::LIST),
+                          std::move(dst_urls), std::move(restrictions)));
+
+  UpdatePolicyPref(std::move(rules));
+
+  EXPECT_EQ(DlpRulesManager::Level::kBlock,
+            dlp_rules_manager_->IsRestrictedAnyOfComponents(
+                GURL(kUrlStr1),
+                std::vector<DlpRulesManager::Component>{
+                    DlpRulesManager::Component::kPluginVm,
+                    DlpRulesManager::Component::kCrostini},
+                DlpRulesManager::Restriction::kClipboard));
+  EXPECT_EQ(DlpRulesManager::Level::kAllow,
+            dlp_rules_manager_->IsRestrictedAnyOfComponents(
+                GURL(kUrlStr1),
+                std::vector<DlpRulesManager::Component>{
+                    DlpRulesManager::Component::kArc,
+                    DlpRulesManager::Component::kCrostini},
+                DlpRulesManager::Restriction::kClipboard));
+}
+
 }  // namespace policy

chrome/browser/chromeos/policy/dlp/enterprise_clipboard_dlp_controller.cc

@@ -4,10 +4,11 @@
 
 #include "chrome/browser/chromeos/policy/dlp/enterprise_clipboard_dlp_controller.h"
 
+#include <vector>
+
 #include "ash/public/cpp/toast_data.h"
 #include "ash/public/cpp/toast_manager.h"
 #include "base/optional.h"
-#include "base/strings/string16.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/crostini/crostini_util.h"
 #include "chrome/browser/chromeos/plugin_vm/plugin_vm_util.h"
@@ -18,6 +19,7 @@
 #include "ui/base/clipboard/clipboard.h"
 #include "ui/base/clipboard/clipboard_data_endpoint.h"
 #include "ui/base/l10n/l10n_util.h"
+#include "url/gurl.h"
 
 namespace policy {
 
@@ -28,13 +30,41 @@ constexpr int kToastDurationMs = 2500;
 
 }  // namespace
 
+EnterpriseClipboardDlpController::EnterpriseClipboardDlpController() = default;
+
+EnterpriseClipboardDlpController::~EnterpriseClipboardDlpController() = default;
+
 bool EnterpriseClipboardDlpController::IsDataReadAllowed(
     const ui::ClipboardDataEndpoint* const data_src,
     const ui::ClipboardDataEndpoint* const data_dst) const {
-  // TODO(crbug.com/1102332): all the policy logic should be added later.
+  if (!data_src) {
+    return true;
+  }
 
   DlpRulesManager::Level level = DlpRulesManager::Level::kAllow;
 
+  if (!data_dst) {
+    // Passing empty URL will return restricted if there's a rule restricting
+    // the src against any dst (*), otherwise it will return ALLOW.
+    level = DlpRulesManager::Get()->IsRestrictedDestination(
+        data_src->origin()->GetURL(), GURL(),
+        DlpRulesManager::Restriction::kClipboard);
+  } else if (data_dst->IsUrlType()) {
+    level = DlpRulesManager::Get()->IsRestrictedDestination(
+        data_src->origin()->GetURL(), data_dst->origin()->GetURL(),
+        DlpRulesManager::Restriction::kClipboard);
+  } else if (data_dst->type() == ui::EndpointType::kGuestOs) {
+    level = DlpRulesManager::Get()->IsRestrictedAnyOfComponents(
+        data_src->origin()->GetURL(),
+        std::vector<DlpRulesManager::Component>{
+            DlpRulesManager::Component::kPluginVm,
+            DlpRulesManager::Component::kCrostini},
+        DlpRulesManager::Restriction::kClipboard);
+  } else {
+    NOTREACHED();
+  }
+  // TODO(crbug.com/1129345): Add a separate handling for ARC
+
   if (level == DlpRulesManager::Level::kBlock) {
     ShowBlockToast(GetToastText(data_dst));
   }

chrome/browser/chromeos/policy/dlp/enterprise_clipboard_dlp_controller.h

@@ -19,8 +19,8 @@ namespace policy {
 // policy rules set by the admin.
 class EnterpriseClipboardDlpController : public ui::ClipboardDlpController {
  public:
-  EnterpriseClipboardDlpController() = default;
-  ~EnterpriseClipboardDlpController() override = default;
+  EnterpriseClipboardDlpController();
+  ~EnterpriseClipboardDlpController() override;
 
   EnterpriseClipboardDlpController(const EnterpriseClipboardDlpController&) =
       delete;