Reflect sync errors on iOS if missing trusted vault keys

This patch is similar in spirit to the Android equivalent in
https://chromium-review.googlesource.com/c/chromium/src/+/1930796.

The overall idea is that, if encryption keys are missing, the UI needs
to display this state as an error, and the user should be able to go
through a reauth flow to retrieve the keys.

The actual logic to trigger the key retrieval process is deferred to
future patches and reflected in TODOs.

Bug: 1019685
Change-Id: Iad250aaca3519b7af50c0d8bfc038009a7d0f30d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1937368
Commit-Queue: Mikel Astiz <mastiz@chromium.org>
Reviewed-by: Jérôme Lebel <jlebel@chromium.org>
Reviewed-by: Gauthier Ambard <gambard@chromium.org>
Cr-Commit-Position: refs/heads/master@{#720906}

ios/chrome/app/strings/ios_strings.grd

@@ -803,6 +803,9 @@ locale.  The strings in this file are specific to iOS.
       <message name="IDS_IOS_GOOGLE_SERVICES_SETTINGS_SYNC_DISABLBED_BY_ADMINISTRATOR_TITLE" desc="Error displayed as title when the sync is disabled by the enterprise policy. The user doesn't have a regular gmail account.">
         Sync Is Disabled by Your Administrator
       </message>
+      <message name="IDS_IOS_GOOGLE_SERVICES_SETTINGS_SYNC_ENCRYPTION_FIX_NOW" desc="Title button to ask the user to reauthenticate. Syncing of encrypted types (e.g. passwords) is blocked until the user completes the reauth flow.">
+        Fix now.
+      </message>
       <message name="IDS_IOS_HISTORY_OTHER_FORMS_OF_HISTORY" desc="The notification at the top of the history page indicating that deleting Chrome browsing history will not delete other forms of history stored at Google My Activity.">
         Your Google Account may have other forms of browsing history at <ph name="BEGIN_LINK">BEGIN_LINK</ph>history.google.com<ph name="END_LINK">END_LINK</ph>.
       </message>
@@ -1716,6 +1719,9 @@ To change this setting, <ph name="BEGIN_LINK">BEGIN_LINK</ph>reset sync<ph name=
       <message name="IDS_IOS_SYNC_ENCRYPTION_PASSPHRASE_INFO" desc="The information text for encrypting sync using a passphrase, shown on the passphrase screen [iOS only]">
         Passphrase encryption doesn’t include payment methods and addresses from Google Pay. Only someone with your passphrase can read your encrypted data. The passphrase is not sent to or stored by Google. If you forget your passphrase or want to change this setting, you will need to reset sync. <ph name="BEGIN_LINK">BEGIN_LINK</ph>Learn more<ph name="END_LINK">END_LINK</ph>
       </message>
+      <message name="IDS_IOS_SYNC_ENCRYPTION_FIX_NOW" desc="Title displayed when the signed in user needs to reauthenticate. Syncing of encrypted types (e.g. passwords) is blocked until the user completes the reauth flow.">
+        Fix Now
+      </message>
       <message name="IDS_IOS_SYNC_ENCRYPTION_TITLE" desc="The title for the Sync Encryption item [iOS only]">
         Encryption
       </message>
@@ -1738,13 +1744,19 @@ Your data was encrypted with your sync passphrase on <ph name="TIME">$2<ex>Sept
       <message name="IDS_IOS_SYNC_ERROR_COULD_NOT_CONNECT" desc="The error message to display when the sync server is unavailable. [Length: 100em, can be multiple lines] [iOS only]">
         Could not connect to the server.
       </message>
+      <message name="IDS_IOS_SYNC_ERROR_DESCRIPTION" desc="The error message to display when a generic error prevents sync from starting.">
+        Sync isn't working.
+      </message>
+      <message name="IDS_IOS_SYNC_PASSWORDS_ERROR_DESCRIPTION" desc="The error message to display when a generic error prevents encrypted sync datatypes (passwords) from working.">
+        Error syncing passwords.
+      </message>
       <message name="IDS_IOS_SYNC_ERROR_INFO_OUT_OF_DATE" desc="The error message to display when the accounts info are out of date. [Length: 100em, can be multiple lines] [iOS only]">
         Account sign-in details are out of date. Update to start sync.
       </message>
       <message name="IDS_IOS_SYNC_ERROR_INTERNET_DISCONNECTED" desc="Error to display when network connection failed while trying to use sync. [Length: 100em, can be multiple lines] [iOS only]">
         Unable to connect to the Internet.
       </message>
-      <message name="IDS_IOS_SYNC_ERROR_TITLE" desc="Title of the error message shown for sync errors. [Length: 60em] [iOS only]">
+      <message name="IDS_IOS_SYNC_ERROR_TITLE" desc="Title of the error message shown for sync errors. [iOS only]">
         Sync Isn't Working
       </message>
       <message name="IDS_IOS_SYNC_ERROR_UNRECOVERABLE" desc="The error message to display when there is an unrecoverable sync error. [Length: 100em, can be multiple lines] [iOS only]">
@@ -1768,6 +1780,9 @@ Your data was encrypted with your sync passphrase on <ph name="TIME">$2<ex>Sept
       <message name="IDS_IOS_SYNC_PASSPHRASE_RECOVER" desc="Message about how to recover from a lost passphrase. [Length:100em, may be multiple lines] [iOS only]">
         If you forget your passphrase or want to change this setting, <ph name="BEGIN_LINK">BEGIN_LINK</ph>reset sync<ph name="END_LINK">END_LINK</ph>
       </message>
+      <message name="IDS_IOS_SYNC_PASSWORDS_ERROR_TITLE" desc="Title of the error message shown for sync errors when it affects passwords only. [iOS only]">
+        Error Syncing Passwords
+      </message>
       <message name="IDS_IOS_SYNC_SETTINGS_NOT_CONFIRMED" desc="The error message to display when sign-in was interrupted and the user didn't review the sync settings.">
         Initial sync setup was not finished. Sync is off.
       </message>

ios/chrome/app/strings/ios_strings_grd/IDS_IOS_GOOGLE_SERVICES_SETTINGS_SYNC_ENCRYPTION_FIX_NOW.png.sha1

+244e185d254eae24688ae387476e3d716947aed4
\ No newline at end of file

ios/chrome/app/strings/ios_strings_grd/IDS_IOS_SYNC_ENCRYPTION_FIX_NOW.png.sha1

+48ae12ad30af6d2654cffd4b0d68db33e00ffefa
\ No newline at end of file

ios/chrome/app/strings/ios_strings_grd/IDS_IOS_SYNC_PASSWORDS_ERROR_DESCRIPTION.png.sha1

+48ae12ad30af6d2654cffd4b0d68db33e00ffefa
\ No newline at end of file

ios/chrome/app/strings/ios_strings_grd/IDS_IOS_SYNC_PASSWORDS_ERROR_TITLE.png.sha1

+c85314e60c88df143e720cb14ab9a6f0a2bf41c5
\ No newline at end of file

ios/chrome/browser/sync/sync_setup_service.cc

@@ -88,6 +88,7 @@ bool SyncSetupService::UserActionIsRequiredToHaveTabSyncWork() {
     // These errors effectively amount to disabled sync and require a signin.
     case SyncSetupService::kSyncServiceSignInNeedsUpdate:
     case SyncSetupService::kSyncServiceNeedsPassphrase:
+    case SyncSetupService::kSyncServiceNeedsTrustedVaultKey:
     case SyncSetupService::kSyncServiceUnrecoverableError:
     case SyncSetupService::kSyncSettingsNotConfirmed:
       return true;
@@ -150,13 +151,22 @@ SyncSetupService::SyncServiceState SyncSetupService::GetSyncServiceState() {
   if (sync_service_->HasUnrecoverableError())
     return kSyncServiceUnrecoverableError;
   if (sync_service_->GetUserSettings()
-          ->IsPassphraseRequiredForPreferredDataTypes())
+          ->IsPassphraseRequiredForPreferredDataTypes()) {
     return kSyncServiceNeedsPassphrase;
+  }
   if (!IsFirstSetupComplete() && IsSyncEnabled())
     return kSyncSettingsNotConfirmed;
+  if (sync_service_->GetUserSettings()
+          ->IsTrustedVaultKeyRequiredForPreferredDataTypes()) {
+    return kSyncServiceNeedsTrustedVaultKey;
+  }
   return kNoSyncServiceError;
 }
 
+bool SyncSetupService::IsEncryptEverythingEnabled() const {
+  return sync_service_->GetUserSettings()->IsEncryptEverythingEnabled();
+}
+
 bool SyncSetupService::HasFinishedInitialSetup() {
   // Sync initial setup is considered to finished iff:
   //   1. User is signed in with sync enabled and the sync setup was completed.

ios/chrome/browser/sync/sync_setup_service.h

@@ -28,6 +28,7 @@ class SyncSetupService : public KeyedService {
     kSyncServiceCouldNotConnect,
     kSyncServiceServiceUnavailable,
     kSyncServiceNeedsPassphrase,
+    kSyncServiceNeedsTrustedVaultKey,
     kSyncServiceUnrecoverableError,
     kSyncSettingsNotConfirmed,
     kLastSyncServiceError = kSyncServiceUnrecoverableError
@@ -85,6 +86,9 @@ class SyncSetupService : public KeyedService {
   // Returns the current sync service state.
   virtual SyncServiceState GetSyncServiceState();
 
+  // Returns whether all sync data is being encrypted.
+  virtual bool IsEncryptEverythingEnabled() const;
+
   // Returns true if the user has gone through the initial sync configuration.
   // This method is guaranteed not to start the sync backend so it can be
   // called at start-up.

ios/chrome/browser/ui/settings/google_services/google_services_settings_mediator.mm

@@ -75,6 +75,7 @@ typedef NS_ENUM(NSInteger, ItemType) {
   RestartAuthenticationFlowErrorItemType,
   ReauthDialogAsSyncIsInAuthErrorItemType,
   ShowPassphraseDialogErrorItemType,
+  SyncNeedsTrustedVaultKeyErrorItemType,
   SyncDisabledByAdministratorErrorItemType,
   SyncSettingsNotCofirmedErrorItemType,
   SyncChromeDataItemType,
@@ -378,6 +379,10 @@ NSString* kGoogleServicesSyncErrorImage = @"google_services_sync_error";
         type = ShowPassphraseDialogErrorItemType;
         hasError = YES;
         break;
+      case SyncSetupService::kSyncServiceNeedsTrustedVaultKey:
+        type = SyncNeedsTrustedVaultKeyErrorItemType;
+        hasError = YES;
+        break;
       case SyncSetupService::kSyncSettingsNotConfirmed:
         if (self.mode == GoogleServicesSettingsModeSettings) {
           type = SyncSettingsNotCofirmedErrorItemType;
@@ -527,6 +532,7 @@ NSString* kGoogleServicesSyncErrorImage = @"google_services_sync_error";
       case RestartAuthenticationFlowErrorItemType:
       case ReauthDialogAsSyncIsInAuthErrorItemType:
       case ShowPassphraseDialogErrorItemType:
+      case SyncNeedsTrustedVaultKeyErrorItemType:
       case SyncDisabledByAdministratorErrorItemType:
       case SyncSettingsNotCofirmedErrorItemType:
       case SyncChromeDataItemType:
@@ -640,11 +646,13 @@ NSString* kGoogleServicesSyncErrorImage = @"google_services_sync_error";
 //   + RestartAuthenticationFlowErrorItemType
 //   + ReauthDialogAsSyncIsInAuthErrorItemType
 //   + ShowPassphraseDialogErrorItemType
+//   + SyncNeedsTrustedVaultKeyErrorItemType
 //   + SyncSettingsNotCofirmedErrorItemType
 - (TableViewItem*)createSyncErrorItemWithItemType:(NSInteger)itemType {
   DCHECK(itemType == RestartAuthenticationFlowErrorItemType ||
          itemType == ReauthDialogAsSyncIsInAuthErrorItemType ||
          itemType == ShowPassphraseDialogErrorItemType ||
+         itemType == SyncNeedsTrustedVaultKeyErrorItemType ||
          itemType == SyncSettingsNotCofirmedErrorItemType);
   SettingsImageDetailTextItem* syncErrorItem =
       [[SettingsImageDetailTextItem alloc] initWithType:itemType];
@@ -659,6 +667,17 @@ NSString* kGoogleServicesSyncErrorImage = @"google_services_sync_error";
     // error message should be still be displayed in the first settings screen.
     syncErrorItem.detailText = GetNSString(
         IDS_IOS_GOOGLE_SERVICES_SETTINGS_ENTER_PASSPHRASE_TO_START_SYNC);
+  } else if (itemType == SyncNeedsTrustedVaultKeyErrorItemType) {
+    // Special case only for the sync encryption key error message. The regular
+    // error message should be still be displayed in the first settings screen.
+    syncErrorItem.detailText =
+        GetNSString(IDS_IOS_GOOGLE_SERVICES_SETTINGS_SYNC_ENCRYPTION_FIX_NOW);
+
+    // Also override the title to be more accurate, if only passwords are being
+    // encrypted.
+    if (!self.syncSetupService->IsEncryptEverythingEnabled()) {
+      syncErrorItem.text = GetNSString(IDS_IOS_SYNC_PASSWORDS_ERROR_TITLE);
+    }
   }
   syncErrorItem.image = [UIImage imageNamed:kGoogleServicesSyncErrorImage];
   return syncErrorItem;
@@ -777,6 +796,7 @@ NSString* kGoogleServicesSyncErrorImage = @"google_services_sync_error";
     case RestartAuthenticationFlowErrorItemType:
     case ReauthDialogAsSyncIsInAuthErrorItemType:
     case ShowPassphraseDialogErrorItemType:
+    case SyncNeedsTrustedVaultKeyErrorItemType:
     case SyncDisabledByAdministratorErrorItemType:
     case SyncSettingsNotCofirmedErrorItemType:
     case ManageSyncItemType:
@@ -806,6 +826,9 @@ NSString* kGoogleServicesSyncErrorImage = @"google_services_sync_error";
     case ShowPassphraseDialogErrorItemType:
       [self.commandHandler openPassphraseDialog];
       break;
+    case SyncNeedsTrustedVaultKeyErrorItemType:
+      // TODO(crbug.com/1019685): Open key retrieval dialog.
+      break;
     case ManageSyncItemType:
       [self.commandHandler openManageSyncSettings];
       break;

ios/chrome/browser/ui/settings/google_services/manage_sync_settings_mediator.mm

@@ -285,6 +285,14 @@ NSString* kGoogleServicesSyncErrorImage = @"google_services_sync_error";
         [UIImage imageNamed:kGoogleServicesSyncErrorImage];
     self.encryptionItem.detailText = GetNSString(
         IDS_IOS_GOOGLE_SERVICES_SETTINGS_ENTER_PASSPHRASE_TO_START_SYNC);
+  } else if (self.shouldEncryptionItemBeEnabled &&
+             self.syncSetupService->GetSyncServiceState() ==
+                 SyncSetupService::kSyncServiceNeedsTrustedVaultKey) {
+    needsUpdate = needsUpdate || self.encryptionItem.image == nil;
+    self.encryptionItem.image =
+        [UIImage imageNamed:kGoogleServicesSyncErrorImage];
+    self.encryptionItem.detailText =
+        GetNSString(IDS_IOS_GOOGLE_SERVICES_SETTINGS_SYNC_ENCRYPTION_FIX_NOW);
   } else {
     needsUpdate = needsUpdate || self.encryptionItem.image != nil;
     self.encryptionItem.image = nil;
@@ -355,7 +363,8 @@ NSString* kGoogleServicesSyncErrorImage = @"google_services_sync_error";
   SyncSetupService::SyncServiceState state =
       self.syncSetupService->GetSyncServiceState();
   return state != SyncSetupService::kNoSyncServiceError &&
-         state != SyncSetupService::kSyncServiceNeedsPassphrase;
+         state != SyncSetupService::kSyncServiceNeedsPassphrase &&
+         state != SyncSetupService::kSyncServiceNeedsTrustedVaultKey;
 }
 
 - (BOOL)shouldSyncDataItemEnabled {
@@ -460,6 +469,11 @@ NSString* kGoogleServicesSyncErrorImage = @"google_services_sync_error";
   ItemType itemType = static_cast<ItemType>(item.type);
   switch (itemType) {
     case EncryptionItemType:
+      if (self.syncSetupService->GetSyncServiceState() ==
+          SyncSetupService::kSyncServiceNeedsTrustedVaultKey) {
+        // TODO(crbug.com/1019685): Open key retrieval dialog.
+        break;
+      }
       [self.commandHandler openPassphraseDialog];
       break;
     case GoogleActivityControlsItemType:

ios/chrome/browser/ui/settings/sync/utils/sync_util.mm

@@ -32,6 +32,7 @@ enum ErrorState {
   SYNC_NEEDS_PASSPHRASE,
   SYNC_UNRECOVERABLE_ERROR,
   SYNC_SYNC_SETTINGS_NOT_CONFIRMED,
+  SYNC_NEEDS_TRUSTED_VAULT_KEY,
   SYNC_ERROR_COUNT
 };
 
@@ -49,6 +50,12 @@ NSString* GetSyncErrorDescriptionForSyncSetupService(
       return l10n_util::GetNSString(IDS_IOS_SYNC_LOGIN_INFO_OUT_OF_DATE);
     case SyncSetupService::kSyncServiceNeedsPassphrase:
       return l10n_util::GetNSString(IDS_IOS_SYNC_ENCRYPTION_DESCRIPTION);
+    case SyncSetupService::kSyncServiceNeedsTrustedVaultKey:
+      if (syncSetupService->IsEncryptEverythingEnabled())
+        return l10n_util::GetNSString(IDS_IOS_SYNC_ERROR_DESCRIPTION);
+      // The encryption error affects passwords only as per
+      // syncer::AlwaysEncryptedUserTypes().
+      return l10n_util::GetNSString(IDS_IOS_SYNC_PASSWORDS_ERROR_DESCRIPTION);
     case SyncSetupService::kSyncSettingsNotConfirmed:
       return l10n_util::GetNSString(
           IDS_IOS_SYNC_SETTINGS_NOT_CONFIRMED_DESCRIPTION);
@@ -73,6 +80,8 @@ NSString* GetSyncErrorMessageForBrowserState(
       return l10n_util::GetNSString(IDS_IOS_SYNC_ERROR_INFO_OUT_OF_DATE);
     case SyncSetupService::kSyncServiceNeedsPassphrase:
       return l10n_util::GetNSString(IDS_IOS_SYNC_CONFIGURE_ENCRYPTION);
+    case SyncSetupService::kSyncServiceNeedsTrustedVaultKey:
+      return GetSyncErrorDescriptionForSyncSetupService(syncSetupService);
     case SyncSetupService::kSyncServiceServiceUnavailable:
       return l10n_util::GetNSString(IDS_SYNC_SERVICE_UNAVAILABLE);
     case SyncSetupService::kSyncServiceCouldNotConnect:
@@ -96,6 +105,8 @@ NSString* GetSyncErrorButtonTitleForBrowserState(
       return l10n_util::GetNSString(IDS_IOS_SYNC_UPDATE_CREDENTIALS);
     case SyncSetupService::kSyncServiceNeedsPassphrase:
       return l10n_util::GetNSString(IDS_IOS_SYNC_ENTER_PASSPHRASE);
+    case SyncSetupService::kSyncServiceNeedsTrustedVaultKey:
+      return l10n_util::GetNSString(IDS_IOS_SYNC_ENCRYPTION_FIX_NOW);
     case SyncSetupService::kSyncServiceUnrecoverableError:
       return l10n_util::GetNSString(IDS_IOS_SYNC_SIGN_IN_AGAIN);
     case SyncSetupService::kSyncSettingsNotConfirmed:
@@ -134,6 +145,7 @@ bool ShouldShowSyncSettings(SyncSetupService::SyncServiceState syncState) {
       return true;
     case SyncSetupService::kSyncServiceSignInNeedsUpdate:
     case SyncSetupService::kSyncServiceNeedsPassphrase:
+    case SyncSetupService::kSyncServiceNeedsTrustedVaultKey:
       return false;
   }
 }
@@ -176,6 +188,9 @@ bool DisplaySyncErrors(ios::ChromeBrowserState* browser_state,
     case SyncSetupService::kSyncServiceNeedsPassphrase:
       loggedErrorState = SYNC_NEEDS_PASSPHRASE;
       break;
+    case SyncSetupService::kSyncServiceNeedsTrustedVaultKey:
+      loggedErrorState = SYNC_NEEDS_TRUSTED_VAULT_KEY;
+      break;
     case SyncSetupService::kSyncServiceUnrecoverableError:
       loggedErrorState = SYNC_UNRECOVERABLE_ERROR;
       break;
@@ -202,6 +217,7 @@ bool IsTransientSyncError(SyncSetupService::SyncServiceState errorState) {
       return true;
     case SyncSetupService::kSyncServiceSignInNeedsUpdate:
     case SyncSetupService::kSyncServiceNeedsPassphrase:
+    case SyncSetupService::kSyncServiceNeedsTrustedVaultKey:
     case SyncSetupService::kSyncServiceUnrecoverableError:
     case SyncSetupService::kSyncSettingsNotConfirmed:
       return false;