[Lacros] Enable certificates for some users

Enable certificate initialization in Lacros-Chrome for a small
number of users. This will help with early testing.

Bug: 1145946
Change-Id: I0fe30d1a2ff5a40580db9f75b12ce8d5b59e2caf
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2566965
Commit-Queue: Michael Ershov <miersh@google.com>
Reviewed-by: Kush Sinha <sinhak@chromium.org>
Reviewed-by: Erik Chen <erikchen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#836438}

chrome/browser/lacros/cert_db_initializer_factory.cc

@@ -46,10 +46,6 @@ KeyedService* CertDbInitializerFactory::BuildServiceInstanceFor(
   }
 
   CertDbInitializerImpl* result = new CertDbInitializerImpl(profile);
-  // TODO(crbug.com/1145946): Enable certificate database initialization when
-  // the policy stack is ready (expected to happen before Feb 2021).
-  if (/* DISABLES CODE */ (false)) {
-    result->Start(IdentityManagerFactory::GetForProfile(profile));
-  }
+  result->Start(IdentityManagerFactory::GetForProfile(profile));
   return result;
 }

chrome/browser/lacros/cert_db_initializer_impl.cc

@@ -22,8 +22,45 @@
 #include "crypto/nss_util_internal.h"
 #include "mojo/public/cpp/bindings/remote.h"
 
+// Includes for `IsEnabledForEarlyAccess()`.
+#include "base/containers/flat_set.h"
+#include "base/no_destructor.h"
+#include "chrome/browser/signin/identity_manager_factory.h"
+
 namespace {
 
+// TODO(crbug.com/1145946): Enable certificate database initialization for
+// everyone when the policy stack is ready (expected to happen before Feb 2021).
+bool IsEnabledForEarlyAccess(Profile* profile) {
+  static base::NoDestructor<base::flat_set<std::string>> allowlist{
+      {"bartfab@google.com",       "darin@google.com",
+       "dhaddock@google.com",      "edcourtney@google.com",
+       "erikchen@google.com",      "fangzhoug@google.com",
+       "fukino@google.com",        "gianluca@google.com",
+       "heiserya@google.com",      "hidehiko@google.com",
+       "huangs@google.com",        "huanr@google.com",
+       "igorcov@google.com",       "jamescook@google.com",
+       "jennyz@google.com",        "jorgelo@google.com",
+       "ketakid@google.com",       "lakpamarthy@google.com",
+       "leolai@google.com",        "liaoyuke@google.com",
+       "maguschen@google.com",     "marinakz@google.com",
+       "miersh@google.com",        "mkarkada@google.com",
+       "okalitova@google.com",     "oshima@google.com",
+       "pmarko@google.com",        "pucchakayala@google.com",
+       "rbock@google.com",         "rjkroege@google.com",
+       "rogerta@google.com",       "satorux@google.com",
+       "sinhak@google.com",        "songsuk@google.com",
+       "srinivassista@google.com", "svenzheng@google.com",
+       "willmcleod@google.com",    "ythjkt@google.com",
+       "yusukes@google.com"}};
+  signin::IdentityManager* identity_manager =
+      IdentityManagerFactory::GetForProfile(profile);
+  return base::Contains(*allowlist, identity_manager
+                                        ->GetPrimaryAccountInfo(
+                                            signin::ConsentLevel::kNotRequired)
+                                        .email);
+}
+
 bool InitializeCertDbOnWorkerThread(bool should_load_chaps,
                                     base::FilePath software_nss_db_path) {
   crypto::EnsureNSSInit();
@@ -147,6 +184,12 @@ void CertDbInitializerImpl::OnRefreshTokensLoaded() {
 void CertDbInitializerImpl::WaitForCertDbReady() {
   DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
 
+  if (!IsEnabledForEarlyAccess(profile_)) {
+    LOG(WARNING) << "Certificate initialization is skipped.";
+    OnCertDbInitializationFinished(false);
+    return;
+  }
+
   if (!profile_->IsMainProfile()) {
     OnCertDbInitializationFinished(false);
     return;