Lock the profile temporarily during sign in when force-sign-in is enabled.

When force-sign-in policy is enabled and ProfileSigninConfirmationDialog is being displayed,
lock the profile temporarily so that there is no new browser window for that profile can be opened.

Unlock the profile after dialog being confirmed and Chrome begins to download policy.

Bug: 642059
Change-Id: Ib4ab0e9172cae3646ae855cc48a9564bc2fef0a3
Reviewed-on: https://chromium-review.googlesource.com/572425
Commit-Queue: Owen Min <zmin@chromium.org>
Reviewed-by: Roger Tawa <rogerta@chromium.org>
Cr-Commit-Position: refs/heads/master@{#487239}

chrome/browser/ui/sync/one_click_signin_sync_starter.cc

@@ -20,6 +20,7 @@
 #include "chrome/browser/profiles/profile_window.h"
 #include "chrome/browser/signin/signin_manager_factory.h"
 #include "chrome/browser/signin/signin_tracker_factory.h"
+#include "chrome/browser/signin/signin_util.h"
 #include "chrome/browser/sync/profile_sync_service_factory.h"
 #include "chrome/browser/ui/browser.h"
 #include "chrome/browser/ui/browser_finder.h"
@@ -69,6 +70,22 @@ void SetUserChoiceHistogram(SigninChoice choice) {
                             SIGNIN_CHOICE_SIZE);
 }
 
+// Lock the profile in memory when |enable| is false. Or unlock the profile
+// if |enable| is true. This is used by force-sign-in policy only.
+void EnableProfileForForceSigninInMemory(Profile* profile, bool enable) {
+  ProfileAttributesEntry* entry;
+  bool has_entry =
+      g_browser_process->profile_manager()
+          ->GetProfileAttributesStorage()
+          .GetProfileAttributesWithPath(profile->GetPath(), &entry);
+  DCHECK(has_entry);
+  if (enable) {
+    entry->SetIsSigninRequired(false);
+  } else {
+    entry->LockForceSigninProfile(true);
+  }
+}
+
 }  // namespace
 
 OneClickSigninSyncStarter::OneClickSigninSyncStarter(
@@ -254,6 +271,10 @@ void OneClickSigninSyncStarter::OnRegisteredForPolicy(
                                       signin->GetUsernameForAuthInProgress(),
                                       base::MakeUnique<SigninDialogDelegate>(
                                           weak_pointer_factory_.GetWeakPtr()));
+  // If force signin enabled, lock the profile when dialog is being displayed to
+  // avoid new browser window opened.
+  if (signin_util::IsForceSigninEnabled())
+    EnableProfileForForceSigninInMemory(profile_, false);
 }
 
 void OneClickSigninSyncStarter::LoadPolicyWithCachedCredentials() {
@@ -269,6 +290,9 @@ void OneClickSigninSyncStarter::LoadPolicyWithCachedCredentials() {
       profile_->GetRequestContext(),
       base::Bind(&OneClickSigninSyncStarter::OnPolicyFetchComplete,
                  weak_pointer_factory_.GetWeakPtr()));
+
+  // Unlock the profile after loading policies.
+  EnableProfileForForceSigninInMemory(profile_, true);
 }
 
 void OneClickSigninSyncStarter::OnPolicyFetchComplete(bool success) {
@@ -342,19 +366,12 @@ void OneClickSigninSyncStarter::CompleteInitForNewProfile(
         DCHECK(!client_id_.empty());
         LoadPolicyWithCachedCredentials();
       } else {
-        // No policy to load - simply complete the signin process.
+        // No policy to load - simply complete the signin process and unlock the
+        // profile.
         SigninManagerFactory::GetForProfile(profile_)->CompletePendingSignin();
+        EnableProfileForForceSigninInMemory(profile_, true);
       }
 
-      // Unlock the new profile.
-      ProfileAttributesEntry* entry;
-      bool has_entry =
-          g_browser_process->profile_manager()
-              ->GetProfileAttributesStorage()
-              .GetProfileAttributesWithPath(new_profile->GetPath(), &entry);
-      DCHECK(has_entry);
-      entry->SetIsSigninRequired(false);
-
       // Open the profile's first window, after all initialization.
       profiles::FindOrCreateNewWindowForProfile(
         new_profile,