Make KeyPermissions a keyed-service

This CL does the following. 1) Renames KeyPermissions to KeyPermissionsManager and 2) Creates KeyPermissionsManagerUserService which is a keyed-service. Bug: 1117010 Change-Id: I9cfaa94a29cf934cc2b9d9a91e3633908c37ffce Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2362729 Commit-Queue: Omar Morsi <omorsi@google.com> Reviewed-by: Edman Anjos <edman@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: David Roger <droger@chromium.org> Cr-Commit-Position: refs/heads/master@{#800331}

Make KeyPermissions a keyed-service
This CL does the following. 1) Renames KeyPermissions to KeyPermissionsManager and 2) Creates KeyPermissionsManagerUserService which is a keyed-service. Bug: 1117010 Change-Id: I9cfaa94a29cf934cc2b9d9a91e3633908c37ffce Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2362729 Commit-Queue: Omar Morsi <omorsi@google.com> Reviewed-by: Edman Anjos <edman@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: David Roger <droger@chromium.org> Cr-Commit-Position: refs/heads/master@{#800331}
1a876de2 · Omar Morsi · Commit Bot · 0708646a · 1a876de2 · 1a876de2
Commit 1a876de2 authored Aug 20, 2020 by Omar Morsi Committed by Commit Bot Aug 20, 2020
13 changed files
--- a/chrome/browser/chromeos/BUILD.gn
+++ b/chrome/browser/chromeos/BUILD.gn
@@ -1907,8 +1907,10 @@ source_set("chromeos") {
    "platform_keys/extension_platform_keys_service.h",
    "platform_keys/extension_platform_keys_service_factory.cc",
    "platform_keys/extension_platform_keys_service_factory.h",
-    "platform_keys/key_permissions/key_permissions.cc",
-    "platform_keys/key_permissions/key_permissions.h",
+    "platform_keys/key_permissions/key_permissions_manager.cc",
+    "platform_keys/key_permissions/key_permissions_manager.h",
+    "platform_keys/key_permissions/key_permissions_manager_user_service.cc",
+    "platform_keys/key_permissions/key_permissions_manager_user_service.h",
    "platform_keys/key_permissions/key_permissions_policy_handler.cc",
    "platform_keys/key_permissions/key_permissions_policy_handler.h",
    "platform_keys/platform_keys.cc",

--- a/chrome/browser/chromeos/arc/enterprise/cert_store/arc_cert_store_bridge.cc
+++ b/chrome/browser/chromeos/arc/enterprise/cert_store/arc_cert_store_bridge.cc
@@ -13,7 +13,7 @@
 #include "base/callback.h"
 #include "base/logging.h"
 #include "base/memory/singleton.h"
-#include "chrome/browser/chromeos/platform_keys/key_permissions/key_permissions.h"
+#include "chrome/browser/chromeos/platform_keys/key_permissions/key_permissions_manager.h"
 #include "chrome/browser/chromeos/platform_keys/platform_keys_service.h"
 #include "chrome/browser/net/nss_context.h"
 #include "chrome/browser/policy/profile_policy_connector.h"
@@ -82,7 +82,7 @@ bool IsCertificateAllowed(const scoped_refptr<net::X509Certificate>& cert,
  std::string spki_der = chromeos::platform_keys::GetSubjectPublicKeyInfo(cert);
  std::string public_key_spki_der_b64;
  base::Base64Encode(spki_der, &public_key_spki_der_b64);
-  if (!chromeos::platform_keys::KeyPermissions::IsCorporateKeyForProfile(
+  if (!chromeos::platform_keys::KeyPermissionsManager::IsCorporateKeyForProfile(
          public_key_spki_der_b64, prefs)) {
    DVLOG(1) << "Certificate is not allowed to be used by ARC.";
    return false;
@@ -303,8 +303,8 @@ void ArcCertStoreBridge::OnCertificatesListed(
 void ArcCertStoreBridge::UpdateFromKeyPermissionsPolicy() {
  DVLOG(1) << "ArcCertStoreBridge::UpdateFromKeyPermissionsPolicy";

-  std::vector<std::string> app_ids = chromeos::platform_keys::KeyPermissions::
-      GetCorporateKeyUsageAllowedAppIds(policy_service_);
+  std::vector<std::string> app_ids = chromeos::platform_keys::
+      KeyPermissionsManager::GetCorporateKeyUsageAllowedAppIds(policy_service_);
  std::vector<std::string> permissions;
  for (const auto& app_id : app_ids) {
    if (LooksLikeAndroidPackageName(app_id))

--- a/chrome/browser/chromeos/arc/enterprise/cert_store/arc_cert_store_bridge_browsertest.cc
+++ b/chrome/browser/chromeos/arc/enterprise/cert_store/arc_cert_store_bridge_browsertest.cc
@@ -15,12 +15,12 @@
 #include "chrome/browser/chromeos/arc/enterprise/cert_store/arc_cert_store_bridge.h"
 #include "chrome/browser/chromeos/arc/session/arc_service_launcher.h"
 #include "chrome/browser/chromeos/login/test/local_policy_test_server_mixin.h"
-#include "chrome/browser/chromeos/platform_keys/key_permissions/key_permissions.h"
+#include "chrome/browser/chromeos/platform_keys/key_permissions/key_permissions_manager.h"
+#include "chrome/browser/chromeos/platform_keys/key_permissions/key_permissions_manager_user_service.h"
 #include "chrome/browser/chromeos/platform_keys/platform_keys.h"
 #include "chrome/browser/chromeos/policy/user_policy_test_helper.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/net/nss_context.h"
-#include "chrome/browser/policy/profile_policy_connector.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/ui/browser.h"
 #include "chrome/common/pref_names.h"
@@ -204,19 +204,16 @@ class ArcCertStoreBridgeTest : public MixinBasedInProcessBrowserTest {
  void RegisterCorporateKeys() {
    ASSERT_NO_FATAL_FAILURE(ImportCerts());

-    policy::ProfilePolicyConnector* const policy_connector =
-        browser()->profile()->GetProfilePolicyConnector();
+    chromeos::platform_keys::KeyPermissionsManager* const permissions =
+        chromeos::platform_keys::KeyPermissionsManagerUserServiceFactory::
+            GetForBrowserContext(browser()->profile())
+                ->key_permissions_manager();

-    extensions::StateStore* const state_store =
-        extensions::ExtensionSystem::Get(browser()->profile())->state_store();
-
-    chromeos::platform_keys::KeyPermissions permissions(
-        policy_connector->IsManaged(), browser()->profile()->GetPrefs(),
-        policy_connector->policy_service(), state_store);
+    ASSERT_TRUE(permissions);

    {
      base::RunLoop run_loop;
-      permissions.GetPermissionsForExtension(
+      permissions->GetPermissionsForExtension(
          kFakeExtensionId,
          base::Bind(&ArcCertStoreBridgeTest::GotPermissionsForExtension,
                     base::Unretained(this), run_loop.QuitClosure()));
@@ -262,9 +259,8 @@ class ArcCertStoreBridgeTest : public MixinBasedInProcessBrowserTest {
  // client_cert2_ is not allowed.
  void GotPermissionsForExtension(
      const base::Closure& done_callback,
-      std::unique_ptr<
-          chromeos::platform_keys::KeyPermissions::PermissionsForExtension>
-          permissions_for_ext) {
+      std::unique_ptr<chromeos::platform_keys::KeyPermissionsManager::
+                          PermissionsForExtension> permissions_for_ext) {
    std::string client_cert1_spki(
        client_cert1_->derPublicKey.data,
        client_cert1_->derPublicKey.data + client_cert1_->derPublicKey.len);

--- a/chrome/browser/chromeos/browser_context_keyed_service_factories.cc
+++ b/chrome/browser/chromeos/browser_context_keyed_service_factories.cc
@@ -22,6 +22,7 @@
 #include "chrome/browser/chromeos/login/easy_unlock/easy_unlock_service_factory.h"
 #include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos_factory.h"
 #include "chrome/browser/chromeos/phonehub/phone_hub_manager_factory.h"
+#include "chrome/browser/chromeos/platform_keys/key_permissions/key_permissions_manager_user_service.h"
 #include "chrome/browser/chromeos/plugin_vm/plugin_vm_engagement_metrics_service.h"
 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"
 #include "chrome/browser/chromeos/policy/user_cloud_policy_token_forwarder_factory.h"
@@ -72,6 +73,7 @@ void EnsureBrowserContextKeyedServiceFactoriesBuilt() {
  launcher_search_provider::ServiceFactory::GetInstance();
  OwnerSettingsServiceChromeOSFactory::GetInstance();
  phonehub::PhoneHubManagerFactory::GetInstance();
+  platform_keys::KeyPermissionsManagerUserServiceFactory::GetInstance();
  plugin_vm::PluginVmEngagementMetricsService::Factory::GetInstance();
  policy::PolicyCertServiceFactory::GetInstance();
  policy::UserCloudPolicyTokenForwarderFactory::GetInstance();

--- a/chrome/browser/chromeos/platform_keys/extension_platform_keys_service.cc
+++ b/chrome/browser/chromeos/platform_keys/extension_platform_keys_service.cc
--- a/chrome/browser/chromeos/platform_keys/extension_platform_keys_service.h
+++ b/chrome/browser/chromeos/platform_keys/extension_platform_keys_service.h
@@ -13,7 +13,7 @@
 #include "base/containers/queue.h"
 #include "base/macros.h"
 #include "base/memory/weak_ptr.h"
-#include "chrome/browser/chromeos/platform_keys/key_permissions/key_permissions.h"
+#include "chrome/browser/chromeos/platform_keys/key_permissions/key_permissions_manager.h"
 #include "chrome/browser/chromeos/platform_keys/platform_keys.h"
 #include "chrome/browser/chromeos/platform_keys/platform_keys_service.h"
 #include "components/keyed_service/core/keyed_service.h"
@@ -74,7 +74,7 @@ class ExtensionPlatformKeysService : public KeyedService {

  // Stores registration information in |state_store|, i.e. for each extension
  // the list of public keys that are valid to be used for signing. See
-  // |KeyPermissions| for details.
+  // |KeyPermissionsManager| for details.
  // |browser_context| and |state_store| must not be null and outlive this
  // object.
  explicit ExtensionPlatformKeysService(
@@ -226,7 +226,7 @@ class ExtensionPlatformKeysService : public KeyedService {

  content::BrowserContext* const browser_context_ = nullptr;
  platform_keys::PlatformKeysService* const platform_keys_service_ = nullptr;
-  platform_keys::KeyPermissions key_permissions_;
+  platform_keys::KeyPermissionsManager* const key_permissions_ = nullptr;
  std::unique_ptr<SelectDelegate> select_delegate_;
  base::queue<std::unique_ptr<Task>> tasks_;
  base::WeakPtrFactory<ExtensionPlatformKeysService> weak_factory_{this};

--- a/chrome/browser/chromeos/platform_keys/extension_platform_keys_service_factory.cc
+++ b/chrome/browser/chromeos/platform_keys/extension_platform_keys_service_factory.cc
@@ -14,6 +14,7 @@
 #include "base/memory/singleton.h"
 #include "base/memory/weak_ptr.h"
 #include "chrome/browser/chromeos/platform_keys/extension_platform_keys_service.h"
+#include "chrome/browser/chromeos/platform_keys/key_permissions/key_permissions_manager_user_service.h"
 #include "chrome/browser/chromeos/platform_keys/platform_keys_service_factory.h"
 #include "chrome/browser/extensions/extension_system_factory.h"
 #include "chrome/browser/policy/profile_policy_connector.h"
@@ -91,6 +92,8 @@ ExtensionPlatformKeysServiceFactory::ExtensionPlatformKeysServiceFactory()
          BrowserContextDependencyManager::GetInstance()) {
  DependsOn(extensions::ExtensionSystemFactory::GetInstance());
  DependsOn(chromeos::platform_keys::PlatformKeysServiceFactory::GetInstance());
+  DependsOn(chromeos::platform_keys::KeyPermissionsManagerUserServiceFactory::
+                GetInstance());
 }

 ExtensionPlatformKeysServiceFactory::~ExtensionPlatformKeysServiceFactory() {}

--- a/chrome/browser/chromeos/platform_keys/key_permissions/key_permissions.cc
+++ b/chrome/browser/chromeos/platform_keys/key_permissions/key_permissions.cc
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-#include "chrome/browser/chromeos/platform_keys/key_permissions/key_permissions.h"
+#include "chrome/browser/chromeos/platform_keys/key_permissions/key_permissions_manager.h"

+#include <memory>
+#include <string>
 #include <utility>
+#include <vector>

 #include "base/base64.h"
 #include "base/bind.h"
@@ -13,12 +16,12 @@
 #include "base/stl_util.h"
 #include "base/values.h"
 #include "chrome/browser/chromeos/platform_keys/platform_keys.h"
+#include "chrome/browser/policy/profile_policy_connector.h"
 #include "chrome/common/pref_names.h"
 #include "components/policy/core/common/policy_map.h"
 #include "components/policy/core/common/policy_namespace.h"
 #include "components/policy/core/common/policy_service.h"
 #include "components/policy/policy_constants.h"
-#include "components/pref_registry/pref_registry_syncable.h"
 #include "components/prefs/pref_service.h"
 #include "components/prefs/scoped_user_pref_update.h"
 #include "extensions/browser/state_store.h"
@@ -153,7 +156,7 @@ bool IsKeyOnUserSlot(const std::vector<TokenId>& key_locations) {

 }  // namespace

-struct KeyPermissions::PermissionsForExtension::KeyEntry {
+struct KeyPermissionsManager::PermissionsForExtension::KeyEntry {
  explicit KeyEntry(const std::string& public_key_spki_der_b64)
      : spki_b64(public_key_spki_der_b64) {}

@@ -173,12 +176,12 @@ struct KeyPermissions::PermissionsForExtension::KeyEntry {
  bool sign_unlimited = false;
 };

-KeyPermissions::PermissionsForExtension::PermissionsForExtension(
+KeyPermissionsManager::PermissionsForExtension::PermissionsForExtension(
    const std::string& extension_id,
    std::unique_ptr<base::Value> state_store_value,
    PrefService* profile_prefs,
    policy::PolicyService* profile_policies,
-    KeyPermissions* key_permissions)
+    KeyPermissionsManager* key_permissions)
    : extension_id_(extension_id),
      profile_prefs_(profile_prefs),
      profile_policies_(profile_policies),
@@ -190,9 +193,9 @@ KeyPermissions::PermissionsForExtension::PermissionsForExtension(
    KeyEntriesFromState(*state_store_value);
 }

-KeyPermissions::PermissionsForExtension::~PermissionsForExtension() {}
+KeyPermissionsManager::PermissionsForExtension::~PermissionsForExtension() {}

-bool KeyPermissions::PermissionsForExtension::CanUseKeyForSigning(
+bool KeyPermissionsManager::PermissionsForExtension::CanUseKeyForSigning(
    const std::string& public_key_spki_der,
    const std::vector<TokenId>& key_locations) {
  if (key_locations.empty())
@@ -225,7 +228,7 @@ bool KeyPermissions::PermissionsForExtension::CanUseKeyForSigning(
  return matching_entry->sign_unlimited;
 }

-void KeyPermissions::PermissionsForExtension::SetKeyUsedForSigning(
+void KeyPermissionsManager::PermissionsForExtension::SetKeyUsedForSigning(
    const std::string& public_key_spki_der,
    const std::vector<TokenId>& key_locations) {
  if (key_locations.empty())
@@ -246,9 +249,9 @@ void KeyPermissions::PermissionsForExtension::SetKeyUsedForSigning(
  WriteToStateStore();
 }

-void KeyPermissions::PermissionsForExtension::RegisterKeyForCorporateUsage(
-    const std::string& public_key_spki_der,
-    const std::vector<TokenId>& key_locations) {
+void KeyPermissionsManager::PermissionsForExtension::
+    RegisterKeyForCorporateUsage(const std::string& public_key_spki_der,
+                                 const std::vector<TokenId>& key_locations) {
  if (key_locations.empty()) {
    NOTREACHED();
    return;
@@ -285,7 +288,7 @@ void KeyPermissions::PermissionsForExtension::RegisterKeyForCorporateUsage(
                                  std::move(new_pref_entry));
 }

-void KeyPermissions::PermissionsForExtension::SetUserGrantedPermission(
+void KeyPermissionsManager::PermissionsForExtension::SetUserGrantedPermission(
    const std::string& public_key_spki_der,
    const std::vector<TokenId>& key_locations) {
  if (!key_permissions_->CanUserGrantPermissionFor(public_key_spki_der,
@@ -314,18 +317,18 @@ void KeyPermissions::PermissionsForExtension::SetUserGrantedPermission(
  WriteToStateStore();
 }

-bool KeyPermissions::PermissionsForExtension::PolicyAllowsCorporateKeyUsage()
-    const {
+bool KeyPermissionsManager::PermissionsForExtension::
+    PolicyAllowsCorporateKeyUsage() const {
  return PolicyAllowsCorporateKeyUsageForExtension(extension_id_,
                                                   profile_policies_);
 }

-void KeyPermissions::PermissionsForExtension::WriteToStateStore() {
+void KeyPermissionsManager::PermissionsForExtension::WriteToStateStore() {
  key_permissions_->SetPlatformKeysOfExtension(extension_id_,
                                               KeyEntriesToState());
 }

-void KeyPermissions::PermissionsForExtension::KeyEntriesFromState(
+void KeyPermissionsManager::PermissionsForExtension::KeyEntriesFromState(
    const base::Value& state) {
  state_store_entries_.clear();

@@ -360,7 +363,7 @@ void KeyPermissions::PermissionsForExtension::KeyEntriesFromState(
 }

 std::unique_ptr<base::Value>
-KeyPermissions::PermissionsForExtension::KeyEntriesToState() {
+KeyPermissionsManager::PermissionsForExtension::KeyEntriesToState() {
  std::unique_ptr<base::ListValue> new_state(new base::ListValue);
  for (const KeyEntry& entry : state_store_entries_) {
    // Drop entries that the extension doesn't have any permissions for anymore.
@@ -382,8 +385,8 @@ KeyPermissions::PermissionsForExtension::KeyEntriesToState() {
  return std::move(new_state);
 }

-KeyPermissions::PermissionsForExtension::KeyEntry*
-KeyPermissions::PermissionsForExtension::GetStateStoreEntry(
+KeyPermissionsManager::PermissionsForExtension::KeyEntry*
+KeyPermissionsManager::PermissionsForExtension::GetStateStoreEntry(
    const std::string& public_key_spki_der_b64) {
  for (KeyEntry& entry : state_store_entries_) {
    // For every ASN.1 value there is exactly one DER encoding, so it is fine to
@@ -396,10 +399,11 @@ KeyPermissions::PermissionsForExtension::GetStateStoreEntry(
  return &state_store_entries_.back();
 }

-KeyPermissions::KeyPermissions(bool profile_is_managed,
-                               PrefService* profile_prefs,
-                               policy::PolicyService* profile_policies,
-                               extensions::StateStore* extensions_state_store)
+KeyPermissionsManager::KeyPermissionsManager(
+    bool profile_is_managed,
+    PrefService* profile_prefs,
+    policy::PolicyService* profile_policies,
+    extensions::StateStore* extensions_state_store)
    : profile_is_managed_(profile_is_managed),
      profile_prefs_(profile_prefs),
      profile_policies_(profile_policies),
@@ -409,18 +413,19 @@ KeyPermissions::KeyPermissions(bool profile_is_managed,
  DCHECK(!profile_is_managed_ || profile_policies_);
 }

-KeyPermissions::~KeyPermissions() {}
+KeyPermissionsManager::~KeyPermissionsManager() {}

-void KeyPermissions::GetPermissionsForExtension(
+void KeyPermissionsManager::GetPermissionsForExtension(
    const std::string& extension_id,
    const PermissionsCallback& callback) {
  extensions_state_store_->GetExtensionValue(
      extension_id, kStateStorePlatformKeys,
-      base::BindOnce(&KeyPermissions::CreatePermissionObjectAndPassToCallback,
-                     weak_factory_.GetWeakPtr(), extension_id, callback));
+      base::BindOnce(
+          &KeyPermissionsManager::CreatePermissionObjectAndPassToCallback,
+          weak_factory_.GetWeakPtr(), extension_id, callback));
 }

-bool KeyPermissions::CanUserGrantPermissionFor(
+bool KeyPermissionsManager::CanUserGrantPermissionFor(
    const std::string& public_key_spki_der,
    const std::vector<TokenId>& key_locations) const {
  if (key_locations.empty())
@@ -440,7 +445,7 @@ bool KeyPermissions::CanUserGrantPermissionFor(
 }

 // static
-bool KeyPermissions::IsCorporateKeyForProfile(
+bool KeyPermissionsManager::IsCorporateKeyForProfile(
    const std::string& public_key_spki_der_b64,
    const PrefService* const profile_prefs) {
  const base::DictionaryValue* prefs_entry =
@@ -455,7 +460,8 @@ bool KeyPermissions::IsCorporateKeyForProfile(
 }

 // static
-std::vector<std::string> KeyPermissions::GetCorporateKeyUsageAllowedAppIds(
+std::vector<std::string>
+KeyPermissionsManager::GetCorporateKeyUsageAllowedAppIds(
    policy::PolicyService* const profile_policies) {
  std::vector<std::string> permissions;

@@ -478,7 +484,7 @@ std::vector<std::string> KeyPermissions::GetCorporateKeyUsageAllowedAppIds(
  return permissions;
 }

-bool KeyPermissions::IsCorporateKey(
+bool KeyPermissionsManager::IsCorporateKey(
    const std::string& public_key_spki_der_b64,
    const std::vector<TokenId>& key_locations) const {
  for (const auto key_location : key_locations) {
@@ -496,13 +502,7 @@ bool KeyPermissions::IsCorporateKey(
  return false;
 }

-void KeyPermissions::RegisterProfilePrefs(
-    user_prefs::PrefRegistrySyncable* registry) {
-  // For the format of the dictionary see the documentation at kPrefKeyUsage.
-  registry->RegisterDictionaryPref(prefs::kPlatformKeys);
-}
-
-void KeyPermissions::CreatePermissionObjectAndPassToCallback(
+void KeyPermissionsManager::CreatePermissionObjectAndPassToCallback(
    const std::string& extension_id,
    const PermissionsCallback& callback,
    std::unique_ptr<base::Value> value) {
@@ -510,7 +510,7 @@ void KeyPermissions::CreatePermissionObjectAndPassToCallback(
      extension_id, std::move(value), profile_prefs_, profile_policies_, this));
 }

-void KeyPermissions::SetPlatformKeysOfExtension(
+void KeyPermissionsManager::SetPlatformKeysOfExtension(
    const std::string& extension_id,
    std::unique_ptr<base::Value> value) {
  extensions_state_store_->SetExtensionValue(

--- a/chrome/browser/chromeos/platform_keys/key_permissions/key_permissions.h
+++ b/chrome/browser/chromeos/platform_keys/key_permissions/key_permissions.h
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-#ifndef CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_KEY_PERMISSIONS_KEY_PERMISSIONS_H_
-#define CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_KEY_PERMISSIONS_KEY_PERMISSIONS_H_
+#ifndef CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_KEY_PERMISSIONS_KEY_PERMISSIONS_MANAGER_H_
+#define CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_KEY_PERMISSIONS_KEY_PERMISSIONS_MANAGER_H_

 #include <memory>
 #include <string>
@@ -28,10 +28,6 @@ namespace policy {
 class PolicyService;
 }

-namespace user_prefs {
-class PrefRegistrySyncable;
-}
-
 namespace chromeos {
 namespace platform_keys {

@@ -72,7 +68,10 @@ namespace platform_keys {
 // certificate authority creates the certificate of the generated key, the
 // generating extension isn't able to use the key anymore except if explicitly
 // permitted by the administrator.
-class KeyPermissions {
+//
+// For retrieving a profile-specific KeyPermissionsManager, use
+// KeyPermissionsManagerUserServiceFactory.
+class KeyPermissionsManager {
 public:
  // Allows querying and modifying permissions and registering keys for a
  // specific extension.
@@ -81,12 +80,12 @@ class KeyPermissions {
    // |key_permissions| must not be null and outlive this object.
    // Methods of this object refer implicitly to the extension with the id
    // |extension_id|. Don't use this constructor directly. Call
-    // |KeyPermissions::GetPermissionsForExtension| instead.
+    // |KeyPermissionsManager::GetPermissionsForExtension| instead.
    PermissionsForExtension(const std::string& extension_id,
                            std::unique_ptr<base::Value> state_store_value,
                            PrefService* profile_prefs,
                            policy::PolicyService* profile_policies,
-                            KeyPermissions* key_permissions);
+                            KeyPermissionsManager* key_permissions);

    ~PermissionsForExtension();

@@ -144,8 +143,8 @@ class KeyPermissions {
    // returns a new entry.
    // |public_key_spki_der| must be the base64 encoding of the DER of a Subject
    // Public Key Info.
-    KeyPermissions::PermissionsForExtension::KeyEntry* GetStateStoreEntry(
-        const std::string& public_key_spki_der_b64);
+    KeyPermissionsManager::PermissionsForExtension::KeyEntry*
+    GetStateStoreEntry(const std::string& public_key_spki_der_b64);

    bool PolicyAllowsCorporateKeyUsage() const;

@@ -153,7 +152,7 @@ class KeyPermissions {
    std::vector<KeyEntry> state_store_entries_;
    PrefService* const profile_prefs_;
    policy::PolicyService* const profile_policies_;
-    KeyPermissions* const key_permissions_;
+    KeyPermissionsManager* const key_permissions_;

    DISALLOW_COPY_AND_ASSIGN(PermissionsForExtension);
  };
@@ -164,12 +163,12 @@ class KeyPermissions {
  // |profile_policies| must not be null and must outlive this object.
  // |profile_is_managed| determines the default usage and permissions for
  // keys without explicitly assigned usage.
-  KeyPermissions(bool profile_is_managed,
-                 PrefService* profile_prefs,
-                 policy::PolicyService* profile_policies,
-                 extensions::StateStore* extensions_state_store);
+  KeyPermissionsManager(bool profile_is_managed,
+                        PrefService* profile_prefs,
+                        policy::PolicyService* profile_policies,
+                        extensions::StateStore* extensions_state_store);

-  ~KeyPermissions();
+  ~KeyPermissionsManager();

  using PermissionsCallback =
      base::Callback<void(std::unique_ptr<PermissionsForExtension>)>;
@@ -187,8 +186,6 @@ class KeyPermissions {
      const std::string& public_key_spki_der,
      const std::vector<platform_keys::TokenId>& key_locations) const;

-  static void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry);
-
  // Returns true if |public_key_spki_der_b64| is a corporate usage key.
  static bool IsCorporateKeyForProfile(
      const std::string& public_key_spki_der_b64,
@@ -219,12 +216,12 @@ class KeyPermissions {
  PrefService* const profile_prefs_;
  policy::PolicyService* const profile_policies_;
  extensions::StateStore* const extensions_state_store_;
-  base::WeakPtrFactory<KeyPermissions> weak_factory_{this};
+  base::WeakPtrFactory<KeyPermissionsManager> weak_factory_{this};

-  DISALLOW_COPY_AND_ASSIGN(KeyPermissions);
+  DISALLOW_COPY_AND_ASSIGN(KeyPermissionsManager);
 };

 }  // namespace platform_keys
 }  // namespace chromeos

-#endif  // CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_KEY_PERMISSIONS_KEY_PERMISSIONS_H_
+#endif  // CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_KEY_PERMISSIONS_KEY_PERMISSIONS_MANAGER_H_
--- a/chrome/browser/chromeos/platform_keys/key_permissions/key_permissions_manager_user_service.cc
+++ b/chrome/browser/chromeos/platform_keys/key_permissions/key_permissions_manager_user_service.cc
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/platform_keys/key_permissions/key_permissions_manager_user_service.h"
+
+#include "chrome/browser/chromeos/platform_keys/key_permissions/key_permissions_manager.h"
+#include "chrome/browser/chromeos/profiles/profile_helper.h"
+#include "chrome/browser/extensions/extension_system_factory.h"
+#include "chrome/browser/policy/profile_policy_connector.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/common/pref_names.h"
+#include "components/keyed_service/content/browser_context_dependency_manager.h"
+#include "components/pref_registry/pref_registry_syncable.h"
+#include "extensions/browser/extension_system.h"
+
+namespace chromeos {
+namespace platform_keys {
+
+// ==================== KeyPermissionsManagerUserService =======================
+
+KeyPermissionsManagerUserService::KeyPermissionsManagerUserService(
+    Profile* profile)
+    : key_permissions_manager_(
+          profile->GetProfilePolicyConnector()->IsManaged(),
+          profile->GetPrefs(),
+          profile->GetProfilePolicyConnector()->policy_service(),
+          extensions::ExtensionSystem::Get(profile)->state_store()) {}
+
+KeyPermissionsManagerUserService::~KeyPermissionsManagerUserService() = default;
+
+// ================== KeyPermissionsManagerUserServiceFactory ==================
+
+// static
+KeyPermissionsManagerUserService*
+KeyPermissionsManagerUserServiceFactory::GetForBrowserContext(
+    content::BrowserContext* context) {
+  return static_cast<KeyPermissionsManagerUserService*>(
+      GetInstance()->GetServiceForBrowserContext(context, /*create=*/true));
+}
+
+// static
+KeyPermissionsManagerUserServiceFactory*
+KeyPermissionsManagerUserServiceFactory::GetInstance() {
+  static base::NoDestructor<KeyPermissionsManagerUserServiceFactory> factory;
+  return factory.get();
+}
+
+KeyPermissionsManagerUserServiceFactory::
+    KeyPermissionsManagerUserServiceFactory()
+    : BrowserContextKeyedServiceFactory(
+          "KeyPermissionsManagerUserService",
+          BrowserContextDependencyManager::GetInstance()) {
+  DependsOn(extensions::ExtensionSystemFactory::GetInstance());
+}
+
+KeyedService* KeyPermissionsManagerUserServiceFactory::BuildServiceInstanceFor(
+    content::BrowserContext* context) const {
+  Profile* profile = Profile::FromBrowserContext(context);
+  if (!profile) {
+    return nullptr;
+  }
+
+  return new KeyPermissionsManagerUserService(profile);
+}
+
+void KeyPermissionsManagerUserServiceFactory::RegisterProfilePrefs(
+    user_prefs::PrefRegistrySyncable* registry) {
+  // For the format of the dictionary see prefs::kPlatformKeys documentation in
+  // key_permissions_manager.cc
+  registry->RegisterDictionaryPref(prefs::kPlatformKeys);
+}
+
+}  // namespace platform_keys
+}  // namespace chromeos
--- a/chrome/browser/chromeos/platform_keys/key_permissions/key_permissions_manager_user_service.h
+++ b/chrome/browser/chromeos/platform_keys/key_permissions/key_permissions_manager_user_service.h
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_KEY_PERMISSIONS_KEY_PERMISSIONS_MANAGER_USER_SERVICE_H_
+#define CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_KEY_PERMISSIONS_KEY_PERMISSIONS_MANAGER_USER_SERVICE_H_
+
+#include "base/no_destructor.h"
+#include "chrome/browser/chromeos/platform_keys/key_permissions/key_permissions_manager.h"
+#include "components/keyed_service/content/browser_context_keyed_service_factory.h"
+#include "components/keyed_service/core/keyed_service.h"
+
+class Profile;
+
+namespace user_prefs {
+class PrefRegistrySyncable;
+}
+
+namespace chromeos {
+namespace platform_keys {
+
+// KeyPermissionsManagerUserService is a wrapper over KeyPermissionsManager
+// (KPM) to provide KPMs keyed by profile. KPM is not a KeyedService by itself
+// so as future work can introduce a global device-wide KPM instance.
+class KeyPermissionsManagerUserService : public KeyedService {
+ public:
+  explicit KeyPermissionsManagerUserService(Profile* profile);
+  ~KeyPermissionsManagerUserService() override;
+
+  KeyPermissionsManager* key_permissions_manager() {
+    return &key_permissions_manager_;
+  }
+
+ private:
+  KeyPermissionsManager key_permissions_manager_;
+};
+
+class KeyPermissionsManagerUserServiceFactory
+    : public BrowserContextKeyedServiceFactory {
+ public:
+  static KeyPermissionsManagerUserService* GetForBrowserContext(
+      content::BrowserContext* context);
+  static KeyPermissionsManagerUserServiceFactory* GetInstance();
+
+ private:
+  friend class base::NoDestructor<KeyPermissionsManagerUserServiceFactory>;
+
+  KeyPermissionsManagerUserServiceFactory();
+  ~KeyPermissionsManagerUserServiceFactory() override = default;
+
+  // BrowserStateKeyedServiceFactory.
+  KeyedService* BuildServiceInstanceFor(
+      content::BrowserContext* context) const override;
+  void RegisterProfilePrefs(
+      user_prefs::PrefRegistrySyncable* registry) override;
+};
+
+}  // namespace platform_keys
+}  // namespace chromeos
+
+#endif  // CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_KEY_PERMISSIONS_KEY_PERMISSIONS_MANAGER_USER_SERVICE_H_
--- a/chrome/browser/extensions/api/platform_keys/platform_keys_apitest_nss.cc
+++ b/chrome/browser/extensions/api/platform_keys/platform_keys_apitest_nss.cc
@@ -14,10 +14,11 @@
 #include "base/strings/stringprintf.h"
 #include "chrome/browser/chromeos/platform_keys/extension_platform_keys_service.h"
 #include "chrome/browser/chromeos/platform_keys/extension_platform_keys_service_factory.h"
+#include "chrome/browser/chromeos/platform_keys/key_permissions/key_permissions_manager.h"
+#include "chrome/browser/chromeos/platform_keys/key_permissions/key_permissions_manager_user_service.h"
 #include "chrome/browser/chromeos/platform_keys/platform_keys.h"
 #include "chrome/browser/extensions/api/platform_keys/platform_keys_test_base.h"
 #include "chrome/browser/net/nss_context.h"
-#include "chrome/browser/policy/profile_policy_connector.h"
 #include "chrome/browser/profiles/profile.h"
 #include "components/policy/policy_constants.h"
 #include "content/public/browser/browser_task_traits.h"
@@ -132,18 +133,16 @@ class PlatformKeysTest : public PlatformKeysTestBase {
    const extensions::Extension* const fake_gen_extension =
        LoadExtension(test_data_dir_.AppendASCII("platform_keys_genkey"));

-    policy::ProfilePolicyConnector* const policy_connector =
-        profile()->GetProfilePolicyConnector();
+    chromeos::platform_keys::KeyPermissionsManager* const
+        key_permissions_manager =
+            chromeos::platform_keys::KeyPermissionsManagerUserServiceFactory::
+                GetForBrowserContext(profile())
+                    ->key_permissions_manager();

-    extensions::StateStore* const state_store =
-        extensions::ExtensionSystem::Get(profile())->state_store();
-
-    chromeos::platform_keys::KeyPermissions permissions(
-        policy_connector->IsManaged(), profile()->GetPrefs(),
-        policy_connector->policy_service(), state_store);
+    ASSERT_TRUE(key_permissions_manager);

    base::RunLoop run_loop;
-    permissions.GetPermissionsForExtension(
+    key_permissions_manager->GetPermissionsForExtension(
        fake_gen_extension->id(),
        base::Bind(&PlatformKeysTest::GotPermissionsForExtension,
                   base::Unretained(this), run_loop.QuitClosure()));
@@ -169,9 +168,8 @@ class PlatformKeysTest : public PlatformKeysTestBase {

  void GotPermissionsForExtension(
      const base::Closure& done_callback,
-      std::unique_ptr<
-          chromeos::platform_keys::KeyPermissions::PermissionsForExtension>
-          permissions_for_ext) {
+      std::unique_ptr<chromeos::platform_keys::KeyPermissionsManager::
+                          PermissionsForExtension> permissions_for_ext) {
    std::string client_cert1_spki =
        chromeos::platform_keys::GetSubjectPublicKeyInfo(client_cert1_);
    permissions_for_ext->RegisterKeyForCorporateUsage(

--- a/chrome/browser/prefs/browser_prefs.cc
+++ b/chrome/browser/prefs/browser_prefs.cc
@@ -301,7 +301,6 @@
 #include "chrome/browser/chromeos/login/users/chrome_user_manager_impl.h"
 #include "chrome/browser/chromeos/login/users/multi_profile_user_controller.h"
 #include "chrome/browser/chromeos/net/network_throttling_observer.h"
-#include "chrome/browser/chromeos/platform_keys/key_permissions/key_permissions.h"
 #include "chrome/browser/chromeos/plugin_vm/plugin_vm_pref_names.h"
 #include "chrome/browser/chromeos/policy/app_install_event_log_manager_wrapper.h"
 #include "chrome/browser/chromeos/policy/app_install_event_logger.h"
@@ -1063,7 +1062,6 @@ void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry,
  chromeos::first_run::RegisterProfilePrefs(registry);
  chromeos::file_system_provider::RegisterProfilePrefs(registry);
  chromeos::KerberosCredentialsManager::RegisterProfilePrefs(registry);
-  chromeos::platform_keys::KeyPermissions::RegisterProfilePrefs(registry);
  chromeos::multidevice_setup::MultiDeviceSetupService::RegisterProfilePrefs(
      registry);
  chromeos::MultiProfileUserController::RegisterProfilePrefs(registry);