Delete saml password attributes when no longer relevant.

During SAML flow, we might get extra information about when the password expires from the SAML IdP, which we store so we can then warn the user when their password expires. However, this information is no longer relevant - and will never be updated by the SAML IdP - if the user no longer uses SAML to log in. In that, case, we should simply delete it. We should also delete it if the feature that uses it is turned off - if an admin decides this feature is not useful to them and turns it off, then we should clear the data. Later if they decide to try and out the feature again, they shouldn't need to worry about data reappearing that has been stored since last time they had the feature enabled - that data could be very stale since it will not have been kept up to date. Stale data can lead to spurious password-expiry notifications. Bug: 930109 Change-Id: Ia2f6abba306adea8b64a5f756579826ded8ffc16 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1866750Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org> Reviewed-by: Xiyuan Xia <xiyuan@chromium.org> Commit-Queue: A Olsen <olsen@chromium.org> Cr-Commit-Position: refs/heads/master@{#709838}

Delete saml password attributes when no longer relevant.
During SAML flow, we might get extra information about when the password expires from the SAML IdP, which we store so we can then warn the user when their password expires. However, this information is no longer relevant - and will never be updated by the SAML IdP - if the user no longer uses SAML to log in. In that, case, we should simply delete it. We should also delete it if the feature that uses it is turned off - if an admin decides this feature is not useful to them and turns it off, then we should clear the data. Later if they decide to try and out the feature again, they shouldn't need to worry about data reappearing that has been stored since last time they had the feature enabled - that data could be very stale since it will not have been kept up to date. Stale data can lead to spurious password-expiry notifications. Bug: 930109 Change-Id: Ia2f6abba306adea8b64a5f756579826ded8ffc16 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1866750Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org> Reviewed-by: Xiyuan Xia <xiyuan@chromium.org> Commit-Queue: A Olsen <olsen@chromium.org> Cr-Commit-Position: refs/heads/master@{#709838}
26209a36 · A Olsen · Commit Bot · 1b4b5576 · 26209a36
Commit 26209a36 authored Oct 28, 2019 by A Olsen Committed by Commit Bot Oct 28, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 2 deletions

chrome/browser/chromeos/login/session/user_session_manager.cc ...me/browser/chromeos/login/session/user_session_manager.cc +14 -2

No files found.
--- a/chrome/browser/chromeos/login/session/user_session_manager.cc
+++ b/chrome/browser/chromeos/login/session/user_session_manager.cc
@@ -1522,11 +1522,23 @@ void UserSessionManager::UserProfileInitialized(Profile* profile,
      }
    }
-    // Update password expiry data if new data came in during SAML login:
+    const bool in_session_password_change_feature_enabled =
-    if (base::FeatureList::IsEnabled(::features::kInSessionPasswordChange) &&
+        base::FeatureList::IsEnabled(::features::kInSessionPasswordChange);
+    if (in_session_password_change_feature_enabled &&
        user_context_.GetSamlPasswordAttributes().has_value()) {
+      // Update password expiry data if new data came in during SAML login,
+      // and the in-session password change feature is enabled:
      user_context_.GetSamlPasswordAttributes()->SaveToPrefs(
          profile->GetPrefs());
+    } else if (!in_session_password_change_feature_enabled ||
+               user_context_.GetAuthFlow() ==
+                   UserContext::AUTH_FLOW_GAIA_WITHOUT_SAML) {
+      // These attributes are no longer relevant and should be deleted if either
+      // a) the in-session password change feature is no longer enabled or
+      // b) this user is no longer using SAML to log in.
+      SamlPasswordAttributes::DeleteFromPrefs(profile->GetPrefs());
    }
    // Transfers authentication-related data from the profile that was used for