SSO into any Chrome profile through GCPW

This change is a follow up to a previous Chrome SSO change[1]. Currently, Chrome SSO through GCPW would only work if the profile is the initial profile dir. That wouldn't work if initial profile dir is deleted and/or another profile is being used. This change addresses signing into profile through GCPW regardless of profile being initial profile.

Note that signing into profile doesn't work:

If the same GCPW user is authenticated in any other profile.
If any other profile was used to sign-in with GCPW before.
[1] https://chromium-review.googlesource.com/c/chromium/src/+/1984474

Bug: 1038368
Change-Id: I8719d1dbea59eb31206f9c897331fcd9674aae9b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2084721
Commit-Queue: Yusuf Sengul <yusufsn@google.com>
Reviewed-by: Rakesh Soma <rakeshsoma@google.com>
Reviewed-by: Mihai Sardarescu <msarda@chromium.org>
Reviewed-by: Roger Tawa <rogerta@chromium.org>
Cr-Commit-Position: refs/heads/master@{#756429}

chrome/browser/profiles/profile_attributes_entry.cc

@@ -20,6 +20,7 @@
 #include "components/prefs/pref_service.h"
 #include "components/prefs/scoped_user_pref_update.h"
 #include "components/profile_metrics/state.h"
+#include "components/signin/public/base/signin_pref_names.h"
 #include "components/signin/public/identity_manager/account_info.h"
 #include "ui/base/resource/resource_bundle.h"
 
@@ -376,6 +377,10 @@ bool ProfileAttributesEntry::IsAuthError() const {
   return GetBool(kIsAuthErrorKey);
 }
 
+bool ProfileAttributesEntry::IsSignedInWithCredentialProvider() const {
+  return GetBool(prefs::kSignedInWithCredentialProvider);
+}
+
 size_t ProfileAttributesEntry::GetAvatarIconIndex() const {
   std::string icon_url = GetString(kAvatarIconKey);
   size_t icon_index = 0;
@@ -469,6 +474,12 @@ void ProfileAttributesEntry::SetIsSigninRequired(bool value) {
     LockForceSigninProfile(value);
 }
 
+void ProfileAttributesEntry::SetSignedInWithCredentialProvider(bool value) {
+  if (value != GetBool(prefs::kSignedInWithCredentialProvider)) {
+    SetBool(prefs::kSignedInWithCredentialProvider, value);
+  }
+}
+
 void ProfileAttributesEntry::LockForceSigninProfile(bool is_lock) {
   DCHECK(is_force_signin_enabled_);
   if (is_force_signin_profile_locked_ == is_lock)

chrome/browser/profiles/profile_attributes_entry.h

@@ -126,6 +126,8 @@ class ProfileAttributesEntry {
   // Returns true if the profile is signed in but is in an authentication error
   // state.
   bool IsAuthError() const;
+  // Indicates that profile was signed in through native OS credential provider.
+  bool IsSignedInWithCredentialProvider() const;
   // Returns the index of the default icon used by the profile.
   size_t GetAvatarIconIndex() const;
   // Returns the metrics bucket this profile should be recorded in.
@@ -152,6 +154,7 @@ class ProfileAttributesEntry {
   void SetGAIAPicture(const std::string& image_url_with_size, gfx::Image image);
   void SetIsUsingGAIAPicture(bool value);
   void SetIsSigninRequired(bool value);
+  void SetSignedInWithCredentialProvider(bool value);
   void SetIsEphemeral(bool value);
   void SetIsUsingDefaultName(bool value);
   void SetIsUsingDefaultAvatar(bool value);

chrome/browser/profiles/profile_manager.cc

@@ -1637,6 +1637,10 @@ void ProfileManager::AddProfileToStorage(Profile* profile) {
       // The ProfileAttributesStorage's info must match the Identity Manager.
       entry->SetAuthInfo(account_info.gaia, username,
                          is_consented_primary_account);
+
+      entry->SetSignedInWithCredentialProvider(profile->GetPrefs()->GetBoolean(
+          prefs::kSignedInWithCredentialProvider));
+
 #if !defined(OS_ANDROID) && !defined(OS_CHROMEOS)
       // Sign out if force-sign-in policy is enabled and profile is not signed
       // in.
@@ -1687,13 +1691,16 @@ void ProfileManager::AddProfileToStorage(Profile* profile) {
                      username, is_consented_primary_account, icon_index,
                      supervised_user_id, account_id);
 
-  if (profile->GetPrefs()->GetBoolean(prefs::kForceEphemeralProfiles)) {
-    ProfileAttributesEntry* entry;
-    bool has_entry = storage.GetProfileAttributesWithPath(profile->GetPath(),
-                                                          &entry);
-    DCHECK(has_entry);
+  ProfileAttributesEntry* entry;
+  bool has_entry =
+      storage.GetProfileAttributesWithPath(profile->GetPath(), &entry);
+  DCHECK(has_entry);
+
+  if (profile->GetPrefs()->GetBoolean(prefs::kForceEphemeralProfiles))
     entry->SetIsEphemeral(true);
-  }
+
+  entry->SetSignedInWithCredentialProvider(
+      profile->GetPrefs()->GetBoolean(prefs::kSignedInWithCredentialProvider));
 }
 
 void ProfileManager::SetNonPersonalProfilePrefs(Profile* profile) {

chrome/browser/signin/signin_util_win.cc

@@ -18,6 +18,8 @@
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/first_run/first_run.h"
 #include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/profiles/profile_attributes_entry.h"
+#include "chrome/browser/profiles/profile_attributes_storage.h"
 #include "chrome/browser/profiles/profile_manager.h"
 #include "chrome/browser/profiles/profile_window.h"
 #include "chrome/browser/signin/about_signin_internals_factory.h"
@@ -25,6 +27,7 @@
 #include "chrome/browser/ui/browser_finder.h"
 #include "chrome/browser/ui/browser_list.h"
 #include "chrome/browser/ui/webui/signin/dice_turn_sync_on_helper.h"
+#include "chrome/browser/ui/webui/signin/signin_utils_desktop.h"
 #include "chrome/credential_provider/common/gcp_strings.h"
 #include "components/prefs/pref_service.h"
 #include "components/signin/core/browser/about_signin_internals.h"
@@ -148,17 +151,20 @@ void ImportCredentialsFromProvider(Profile* profile,
 // true, importing refresh_token is allowed even if the profile has primary
 // account for the user authenticated through credential provider.
 void ExtractCredentialImportPreferences(
-    base::string16* cred_provider_user_gaia_id,
+    base::string16* cred_provider_gaia_id,
+    base::string16* cred_provider_email,
     bool* allow_import_only_on_first_run,
     bool* allow_import_when_primary_account_exists) {
-  DCHECK(cred_provider_user_gaia_id);
+  DCHECK(cred_provider_gaia_id);
+  DCHECK(cred_provider_email);
   DCHECK(allow_import_only_on_first_run);
   DCHECK(allow_import_when_primary_account_exists);
 
   // Initialize to more restricted configuration.
   *allow_import_only_on_first_run = true;
   *allow_import_when_primary_account_exists = false;
-  cred_provider_user_gaia_id->clear();
+  cred_provider_gaia_id->clear();
+  cred_provider_email->clear();
 
   base::win::RegKey key;
   if (key.Open(HKEY_CURRENT_USER, credential_provider::kRegHkcuAccountsPath,
@@ -174,9 +180,16 @@ void ExtractCredentialImportPreferences(
   if (!key_account.Valid())
     return;
 
+  base::string16 email;
+  if (key_account.ReadValue(
+          base::UTF8ToUTF16(credential_provider::kKeyEmail).c_str(), &email) !=
+      ERROR_SUCCESS) {
+    return;
+  }
+
   // No need to return immediately if reading following registries fail. They
-  // will set to be stricter by default. cred_provider_user_gaia_id will be
-  // correctly set, though.
+  // will set to be stricter by default. cred_provider_gaia_id and
+  // cred_provider_email will be correctly set, though.
   DWORD reg_import_only_on_first_run = 1;
   key_account.ReadValueDW(credential_provider::kAllowImportOnlyOnFirstRun,
                           &reg_import_only_on_first_run);
@@ -186,7 +199,8 @@ void ExtractCredentialImportPreferences(
       credential_provider::kAllowImportWhenPrimaryAccountExists,
       &reg_import_when_primary_account_exists);
 
-  *cred_provider_user_gaia_id = it.Name();
+  *cred_provider_gaia_id = it.Name();
+  *cred_provider_email = email;
   *allow_import_only_on_first_run = (reg_import_only_on_first_run == 1);
   *allow_import_when_primary_account_exists =
       (reg_import_when_primary_account_exists == 1);
@@ -263,43 +277,75 @@ void SetDiceTurnSyncOnHelperDelegateForTesting(
   GetDiceTurnSyncOnHelperDelegateForTestingStorage()->swap(delegate);
 }
 
+// Credential provider needs to stick to profile it previously used to import
+// credentials. Thus, if there is another profile that was previously signed in
+// with credential provider regardless of whether user signed in or out,
+// credential provider shouldn't attempt to import credentials into current
+// profile.
+bool IsGCPWUsedInOtherProfile(Profile* profile) {
+  DCHECK(profile);
+
+  ProfileManager* profile_manager = g_browser_process->profile_manager();
+  if (profile_manager) {
+    std::vector<ProfileAttributesEntry*> entries =
+        profile_manager->GetProfileAttributesStorage()
+            .GetAllProfilesAttributes();
+
+    for (const ProfileAttributesEntry* entry : entries) {
+      if (entry->GetPath() == profile->GetPath())
+        continue;
+
+      if (entry->IsSignedInWithCredentialProvider())
+        return true;
+    }
+  }
+
+  return false;
+}
+
+// Chrome doesn't allow signing into current profile if the same user is signed
+// in another profile.
+bool CanSignInToCurrentProfile(const std::string& gaia_id,
+                               const std::string& email,
+                               Profile* profile) {
+  std::string error_message;
+  return CanOfferSignin(profile, CAN_OFFER_SIGNIN_FOR_ALL_ACCOUNTS, gaia_id,
+                        email, &error_message);
+}
+
 void SigninWithCredentialProviderIfPossible(Profile* profile) {
   bool import_only_on_first_run = true;
   bool import_when_primary_account_exists = false;
-  base::string16 cred_provider_user_gaia_id;
+  base::string16 cred_provider_gaia_id;
+  base::string16 cred_provider_email;
 
-  ExtractCredentialImportPreferences(&cred_provider_user_gaia_id,
-                                     &import_only_on_first_run,
-                                     &import_when_primary_account_exists);
-
-  if (cred_provider_user_gaia_id.empty())
+  ExtractCredentialImportPreferences(
+      &cred_provider_gaia_id, &cred_provider_email, &import_only_on_first_run,
+      &import_when_primary_account_exists);
+  if (cred_provider_gaia_id.empty() || cred_provider_email.empty())
     return;
 
-  if (import_only_on_first_run && !first_run::IsChromeFirstRun())
+  if (!CanSignInToCurrentProfile(base::UTF16ToUTF8(cred_provider_gaia_id),
+                                 base::UTF16ToUTF8(cred_provider_email),
+                                 profile) ||
+      IsGCPWUsedInOtherProfile(profile)) {
     return;
+  }
 
-  if (g_browser_process->profile_manager()->GetInitialProfileDir() !=
-      profile->GetPath().BaseName()) {
+  if (import_only_on_first_run && !first_run::IsChromeFirstRun())
     return;
-  }
 
   auto* identity_manager = IdentityManagerFactory::GetForProfile(profile);
+  base::string16 gaia_id;
   if (identity_manager->HasPrimaryAccount()) {
-    base::string16 gaia_id =
-        base::UTF8ToUTF16(identity_manager->GetPrimaryAccountInfo().gaia);
+    gaia_id = base::UTF8ToUTF16(identity_manager->GetPrimaryAccountInfo().gaia);
 
-    if (!import_when_primary_account_exists ||
-        (gaia_id != cred_provider_user_gaia_id)) {
+    if (!import_when_primary_account_exists) {
       return;
     }
-
-    // If there is already a primary account in the profile, this means sync was
-    // turned on. So it shouldn't be turned on again.
-    TrySigninWithCredentialProvider(profile, gaia_id, false);
-    return;
   }
 
-  TrySigninWithCredentialProvider(profile, base::string16(), true);
+  TrySigninWithCredentialProvider(profile, gaia_id, gaia_id.empty());
 }
 
 bool ReauthWithCredentialProviderIfPossible(Profile* profile) {