Add toggle in Chrome Settings for Always-on VPN

If a VPN connection is set to be Always-on (via Android setting
or policy), we want an off-switch in Chrome Settings in case
the Android container is compromised.

If the VpnConfigAllowed preference is set to false, this new switch will be
disabled, and potentially the policy indicator is displayed to its right.
This should line up with the same indicator next to the "(Dis)Connect"
button above, and the "open subpage" indicators in the lines below.

For this, the controlled-button needs to remove its right margin for the
(Dis)Connect buttons. Fortunately, these two buttons are the only
controlled-buttons in the codebase that do not have the end-justified attribute
set, as there is only one other instance of controlled-button
(in downloads_page.html, with end-justified set).

BUG=b:72861260
BUG=873123
TEST=browser_tests --gtest_filter=*CrSettingsInternetDetailPageTest*

Change-Id: Ifa76dc905fb0b06ddd13d1e1e2d2ab6d4c2cd018
Reviewed-on: https://chromium-review.googlesource.com/c/1340333Reviewed-by: Steven Bennetts <stevenjb@chromium.org>
Commit-Queue: Philipp Weiß <phweiss@chromium.org>
Cr-Commit-Position: refs/heads/master@{#609643}

chrome/app/settings_strings.grdp

@@ -1876,6 +1876,9 @@
     <message name="IDS_SETTINGS_INTERNET_NETWORK_AUTO_CONNECT" desc="Settings > Internet > Network details: Label for the checkbox determining whether to automatically connect to the network.">
       Automatically connect to this network
     </message>
+    <message name="IDS_SETTINGS_INTERNET_NETWORK_ALWAYS_ON_VPN" desc="Settings > Internet > Network details: Label for the checkbox determining that all internet traffic has to go through this VPN (virtual private network), and all other network connections are blocked.">
+      Always connect through this VPN
+    </message>
     <message name="IDS_SETTINGS_INTERNET_NETWORK_IP_CONFIG_AUTO" desc="Settings > Internet > Network details: Label for the checkbox determining whether to automatically configure the network IP config.">
       Configure IP address automatically
     </message>

chrome/browser/extensions/api/settings_private/prefs_util.cc

@@ -418,6 +418,10 @@ const PrefsUtil::TypedPrefMap& PrefsUtil::GetWhitelistedKeys() {
       settings_api::PrefType::PREF_TYPE_BOOLEAN;
   (*s_whitelist)[::prefs::kVpnConfigAllowed] =
       settings_api::PrefType::PREF_TYPE_BOOLEAN;
+  (*s_whitelist)[arc::prefs::kAlwaysOnVpnPackage] =
+      settings_api::PrefType::PREF_TYPE_STRING;
+  (*s_whitelist)[arc::prefs::kAlwaysOnVpnLockdown] =
+      settings_api::PrefType::PREF_TYPE_BOOLEAN;
 
   // Timezone settings.
   (*s_whitelist)[chromeos::kSystemTimezone] =

chrome/browser/resources/settings/controls/controlled_button.html

@@ -31,8 +31,6 @@
       }
 
       :host(:not([end-justified])) cr-policy-pref-indicator {
-        margin-inline-end: calc(
-            var(--cr-controlled-by-spacing) - var(--justify-margin));
         margin-inline-start: var(--cr-controlled-by-spacing);
       }
 

chrome/browser/resources/settings/internet_page/internet_detail_page.html

@@ -47,7 +47,8 @@
       }
 
       cr-policy-network-indicator,
-      cr-policy-indicator {
+      cr-policy-indicator,
+      cr-policy-pref-indicator {
         margin-inline-start: var(--settings-controlled-by-spacing);
       }
 
@@ -178,6 +179,30 @@
           </cr-toggle>
         </div>
       </template>
+      <!-- Always-on VPN. -->
+      <template is="dom-if"
+          if="[[showAlwaysOnVpn_(networkProperties)]]">
+        <div class="settings-box">
+          <div id="AlwaysOnVpnToggleLabel" class="start">
+            $i18n{networkAlwaysOnVpn}
+          </div>
+          <cr-toggle checked="{{alwaysOnVpn_}}"
+              disabled="[[!enableAlwaysOnVpn_(networkProperties,
+                  prefs.vpn_config_allowed)]]"
+              aria-labelledby="AlwaysOnVpnToggleLabel"
+              on-change="onAlwaysOnVpnChange_">
+          </cr-toggle>
+          <template is="dom-if"
+              if="[[!enableAlwaysOnVpn_(networkProperties,
+              prefs.vpn_config_allowed)]]">
+            <cr-policy-pref-indicator
+                pref="[[getVpnConfigPrefFromValue_(networkProperties,
+                    prefs.vpn_config_allowed)]]" on-click="onIndicatorTap_"
+                icon-aria-label="AlwaysOnVpnToggleLabel">
+            </cr-policy-pref-indicator>
+          </template>
+        </div>
+      </template>
       <!-- Data roaming (Cellular only). -->
       <template is="dom-if" if="[[isCellular_(networkProperties)]]">
         <settings-toggle-button id="allowDataRoaming"

chrome/browser/resources/settings/internet_page/internet_detail_page.js

@@ -114,6 +114,15 @@ Polymer({
       observer: 'autoConnectChanged_',
     },
 
+    /**
+     * State of the Always-on VPN toggle.
+     * @private
+     */
+    alwaysOnVpn_: {
+      type: Boolean,
+      value: false,
+    },
+
     /**
      * The network preferred state.
      * @private
@@ -143,6 +152,10 @@ Polymer({
     proxyExpanded_: Boolean,
   },
 
+  observers: [
+    'onAlwaysOnPrefChanged_(prefs.arc.vpn.always_on.*)',
+  ],
+
   listeners: {
     'network-list-changed': 'checkNetworkExists_',
     'networks-changed': 'updateNetworkDetails_'
@@ -1036,6 +1049,48 @@ Polymer({
     return CrOnc.getManagedAutoConnect(networkProperties);
   },
 
+  /**
+   * @param {!CrOnc.NetworkProperties} networkProperties
+   * @return {boolean} Whether the toggle for the Always-on VPN feature is
+   * displayed.
+   * @private
+   */
+  showAlwaysOnVpn_: function(networkProperties) {
+    return this.isArcVpn_(networkProperties) && this.prefs.arc &&
+        this.prefs.arc.vpn && this.prefs.arc.vpn.always_on &&
+        this.prefs.arc.vpn.always_on.vpn_package &&
+        networkProperties.VPN.Host.Active ===
+        this.prefs.arc.vpn.always_on.vpn_package.value;
+  },
+
+  /**
+   * @param {!CrOnc.NetworkProperties} networkProperties
+   * @param {!chrome.settingsPrivate.PrefObject} vpnConfigAllowed
+   * @return {boolean} Whether the toggle for the Always-on VPN feature is
+   * enabled.
+   * @private
+   */
+  enableAlwaysOnVpn_: function(networkProperties, vpnConfigAllowed) {
+    return this.isArcVpn_(networkProperties) && vpnConfigAllowed &&
+        !!vpnConfigAllowed.value;
+  },
+
+  /** @private */
+  onAlwaysOnPrefChanged_: function() {
+    if (this.prefs.arc && this.prefs.arc.vpn && this.prefs.arc.vpn.always_on &&
+        this.prefs.arc.vpn.always_on.lockdown) {
+      this.alwaysOnVpn_ = this.prefs.arc.vpn.always_on.lockdown.value;
+    }
+  },
+
+  /** @private */
+  onAlwaysOnVpnChange_: function() {
+    if (this.prefs.arc && this.prefs.arc.vpn && this.prefs.arc.vpn.always_on &&
+        this.prefs.arc.vpn.always_on.lockdown) {
+      this.set('prefs.arc.vpn.always_on.lockdown.value', this.alwaysOnVpn_);
+    }
+  },
+
   /**
    * @param {!CrOnc.NetworkProperties} networkProperties
    * @param {!chrome.networkingPrivate.GlobalPolicy} globalPolicy

chrome/browser/ui/webui/settings/md_settings_localized_strings_provider.cc

@@ -1174,6 +1174,7 @@ void AddInternetStrings(content::WebUIDataSource* html_source) {
        IDS_SETTINGS_INTERNET_KNOWN_NETWORKS_MENU_FORGET},
       {"networkAllowDataRoaming",
        IDS_SETTINGS_SETTINGS_NETWORK_ALLOW_DATA_ROAMING},
+      {"networkAlwaysOnVpn", IDS_SETTINGS_INTERNET_NETWORK_ALWAYS_ON_VPN},
       {"networkAutoConnect", IDS_SETTINGS_INTERNET_NETWORK_AUTO_CONNECT},
       {"networkButtonActivate", IDS_SETTINGS_INTERNET_BUTTON_ACTIVATE},
       {"networkButtonConfigure", IDS_SETTINGS_INTERNET_BUTTON_CONFIGURE},