Add new DeviceUserAllowlist policy

This is intended to replace the DeviceUserWhitelist policy. The old policy will still be used in the absence of the new one for at least a few releases of Chrome. BUG=chromium:1103816 Change-Id: Ie4cb3376ffb92c41bb7036f23e4ee9cb182c39b3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339500Reviewed-by: Owen Min <zmin@chromium.org> Commit-Queue: Brian Malcolm <bmalcolm@chromium.org> Cr-Commit-Position: refs/heads/master@{#795267}

Add new DeviceUserAllowlist policy
This is intended to replace the DeviceUserWhitelist policy. The old policy will still be used in the absence of the new one for at least a few releases of Chrome. BUG=chromium:1103816 Change-Id: Ie4cb3376ffb92c41bb7036f23e4ee9cb182c39b3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339500Reviewed-by: Owen Min <zmin@chromium.org> Commit-Queue: Brian Malcolm <bmalcolm@chromium.org> Cr-Commit-Position: refs/heads/master@{#795267}
1f0d1106 · Brian Malcolm · Commit Bot · e4af0e13 · 1f0d1106 · 1f0d1106
Commit 1f0d1106 authored Aug 06, 2020 by Brian Malcolm Committed by Commit Bot Aug 06, 2020
6 changed files
--- a/chrome/browser/policy/profile_policy_connector.cc
+++ b/chrome/browser/policy/profile_policy_connector.cc
@@ -227,6 +227,8 @@ void ProfilePolicyConnector::Init(
  migrators.push_back(std::make_unique<LegacyChromePolicyMigrator>(
      policy::key::kNoteTakingAppsLockScreenWhitelist,
      policy::key::kNoteTakingAppsLockScreenAllowlist));
+  migrators.push_back(std::make_unique<LegacyChromePolicyMigrator>(
+      policy::key::kDeviceUserWhitelist, policy::key::kDeviceUserAllowlist));
  ConfigurationPolicyProvider* user_policy_delegate_candidate =
      configuration_policy_provider ? configuration_policy_provider

--- a/chrome/test/data/chromeos/enterprise/policies
+++ b/chrome/test/data/chromeos/enterprise/policies
@@ -518,7 +518,7 @@
  u'prod_enterprise_crosprqa3_user': {
    u'device_recommended_policies': {},
    u'device_mandatory_policies': {
-      u'DeviceUserWhitelist': [
+      u'DeviceUserAllowlist': [
        u'bob.exc@crosprqa1.com',
        u'*@crosprqa3.com',
        u'*@crosprqa2.com',

--- a/chrome/test/data/policy/policy_test_cases.json
+++ b/chrome/test/data/policy/policy_test_cases.json
@@ -5374,6 +5374,8 @@
  "DeviceUserWhitelist": {},
+  "DeviceUserAllowlist": {},
  "DeviceGuestModeEnabled": {},
  "DeviceShowUserNamesOnSignin": {},

--- a/components/policy/proto/chrome_device_policy.proto
+++ b/components/policy/proto/chrome_device_policy.proto
@@ -24,10 +24,16 @@ message UserWhitelistProto {
  repeated string user_whitelist = 1;
 }
+message UserAllowlistProto {
+  // If a UserAllowlistProto is included in the ChromeDeviceSettingsProto but
+  // the user_whitelist field is empty then no user can sign-in.
+  repeated string user_allowlist = 1;
+}
 message AllowNewUsersProto {
  // Determines whether we allow arbitrary users to log into the device.
-  // This interacts with the UserWhitelistProto as follows:
+  // This interacts with the UserAllowlistProto as follows:
-  // allow_new_users | user_whitelist     | anyone can log in
+  // allow_new_users | user_allowlist     | anyone can log in
  //-----------------+--------------------+------------------
  //  present, true  | not present        | Yes
  //-----------------+--------------------+------------------
@@ -1831,4 +1837,5 @@ message ChromeDeviceSettingsProto {
  optional DevicePrintersProto device_printers = 110;
  optional DeviceShowLowDiskSpaceNotificationProto
      device_show_low_disk_space_notification = 111;
+  optional UserAllowlistProto user_allowlist = 112;
 }
--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -838,6 +838,7 @@
      'policies': [
        'DeviceGuestModeEnabled',
        'DeviceUserWhitelist',
+        'DeviceUserAllowlist',
        'DeviceAllowNewUsers',
        'DeviceLoginScreenDomainAutoComplete',
        'DeviceShowUserNamesOnSignin',
@@ -9090,11 +9091,37 @@
      'features': {
        'dynamic_refresh': True,
      },
+      'deprecated': True,
      'example_value': [ 'madmax@managedchrome.com' ],
      'id': 122,
      'caption': '''Login user white list''',
      'tags': [],
-      'desc': '''Defines the list of users that are allowed to login to the device. Entries are of the form <ph name="USER_WHITELIST_ENTRY_FORMAT">user@domain</ph>, such as <ph name="USER_WHITELIST_ENTRY_EXAMPLE">madmax@managedchrome.com</ph>. To allow arbitrary users on a domain, use entries of the form <ph name="USER_WHITELIST_ENTRY_WILDCARD">*@domain</ph>.
+      'desc': '''Defines the list of users that are allowed to login to the device. Entries are of the form <ph name="USER_ALLOWLIST_ENTRY_FORMAT">user@domain</ph>, such as <ph name="USER_ALLOWLIST_ENTRY_EXAMPLE">madmax@managedchrome.com</ph>. To allow arbitrary users on a domain, use entries of the form <ph name="USER_ALLOWLIST_ENTRY_WILDCARD">*@domain</ph>.
+      If this policy is not configured, there are no restrictions on which users are allowed to sign in. Note that creating new users still requires the <ph name="DEVICE_ALLOW_NEW_USERS_POLICY_NAME">DeviceAllowNewUsers</ph> policy to be configured appropriately.
+      This policy is deprecated, please use <ph name="DEVICE_USER_ALLOWLIST_POLICY_NAME">DeviceUserAllowlist</ph> instead.''',
+      'arc_support': 'This policy controls who may start a <ph name="PRODUCT_OS_NAME">$2<ex>Chromium OS</ex></ph> session. It does not prevent users from signing in to additional Google accounts within Android. If you want to prevent this, configure the Android-specific <ph name="ACCOUNT_TYPES_WITH_MANAGEMENT_DISABLED_CLOUDDPC_POLICY_NAME">accountTypesWithManagementDisabled</ph> policy as part of <ph name="ARC_POLICY_POLICY_NAME">ArcPolicy</ph>.',
+    },
+    {
+      'name': 'DeviceUserAllowlist',
+      'owners': ['file://components/policy/resources/OWNERS'],
+      'type': 'list',
+      'schema': {
+        'type': 'array',
+        'items': { 'type': 'string' },
+        'sensitiveValue': True,
+      },
+      'supported_on': ['chrome_os:86-'],
+      'device_only': True,
+      'features': {
+        'dynamic_refresh': True,
+      },
+      'example_value': [ 'madmax@managedchrome.com' ],
+      'id': 764,
+      'caption': '''Login user allow list''',
+      'tags': [],
+      'desc': '''Defines the list of users that are allowed to login to the device. Entries are of the form <ph name="USER_ALLOWLIST_ENTRY_FORMAT">user@domain</ph>, such as <ph name="USER_WHITELIST_ENTRY_EXAMPLE">madmax@managedchrome.com</ph>. To allow arbitrary users on a domain, use entries of the form <ph name="USER_ALLOWLIST_ENTRY_WILDCARD">*@domain</ph>.
      If this policy is not configured, there are no restrictions on which users are allowed to sign in. Note that creating new users still requires the <ph name="DEVICE_ALLOW_NEW_USERS_POLICY_NAME">DeviceAllowNewUsers</ph> policy to be configured appropriately.''',
      'arc_support': 'This policy controls who may start a <ph name="PRODUCT_OS_NAME">$2<ex>Chromium OS</ex></ph> session. It does not prevent users from signing in to additional Google accounts within Android. If you want to prevent this, configure the Android-specific <ph name="ACCOUNT_TYPES_WITH_MANAGEMENT_DISABLED_CLOUDDPC_POLICY_NAME">accountTypesWithManagementDisabled</ph> policy as part of <ph name="ARC_POLICY_POLICY_NAME">ArcPolicy</ph>.',
@@ -9115,7 +9142,7 @@
      'tags': [],
      'desc': '''Controls whether <ph name="PRODUCT_OS_NAME">$2<ex>Google Chrome OS</ex></ph> allows new user accounts to be created. If this policy is set to false, users that do not have an account already will not be able to login.
-      If this policy is set to true or not configured, new user accounts will be allowed to be created provided that <ph name="DEVICE_USER_WHITELIST_POLICY_NAME">DeviceUserWhitelist</ph> does not prevent the user from logging in.''',
+      If this policy is set to true or not configured, new user accounts will be allowed to be created provided that <ph name="DEVICE_USER_ALLOWLIST_POLICY_NAME">DeviceUserAllowlist</ph> does not prevent the user from logging in.''',
      'arc_support': 'This policy controls whether new users can be added to <ph name="PRODUCT_OS_NAME">$2<ex>Chromium OS</ex></ph>. It does not prevent users from signing in to additional Google accounts within Android. If you want to prevent this, configure the Android-specific <ph name="ACCOUNT_TYPES_WITH_MANAGEMENT_DISABLED_CLOUDDPC_POLICY_NAME">accountTypesWithManagementDisabled</ph> policy as part of <ph name="ARC_POLICY_POLICY_NAME">ArcPolicy</ph>.',
    },
    {
@@ -23002,6 +23029,7 @@ The recommended way to configure policy on Windows is via GPO, although provisio
    'DeviceShowUserNamesOnSignin': 'show_user_names.show_user_names',
    'DeviceAllowNewUsers': 'allow_new_users.allow_new_users',
    'DeviceUserWhitelist': 'user_whitelist.user_whitelist',
+    'DeviceUserAllowlist': 'user_allowlist.user_allowlist',
    'DeviceEphemeralUsersEnabled': 'ephemeral_users_enabled.ephemeral_users_enabled',
    'LoginAuthenticationBehavior': 'login_authentication_behavior.login_authentication_behavior',
    'DeviceAllowBluetooth': 'allow_bluetooth.allow_bluetooth',
@@ -23647,6 +23675,6 @@ The recommended way to configure policy on Windows is via GPO, although provisio
  ],
  'placeholders': [],
  'deleted_policy_ids': [412, 476, 546, 562, 569, 578],
-  'highest_id_currently_used': 763,
+  'highest_id_currently_used': 764,
  'highest_atomic_group_id_currently_used': 39
 }
--- a/tools/metrics/histograms/enums.xml
+++ b/tools/metrics/histograms/enums.xml
@@ -21356,6 +21356,7 @@ Called by update_document_policy_enum.py.-->
  <int value="761" label="NearbyShareAllowed"/>
  <int value="762" label="PerAppTimeLimitsAllowlist"/>
  <int value="763" label="DeviceShowLowDiskSpaceNotification"/>
+  <int value="764" label="DeviceUserAllowlist"/>
 </enum>
 <enum name="EnterprisePolicyDeviceIdValidity">