Fix themes for supervised users on extensions lite

Extensions lite was an emergency feature, launched in response to the
COVID-19 crisis, to enable supervised users to temporarily install
extensions, such as Zoom, from the ExtensionInstallWhitelist policy.

While all extensions are currently blocked for supervised users,
themes are not. The current implementation of extensions lite will
block all themes for supervised users, since not every theme is
included in the policy whitelist. This CL checks for and excludes
themes from StandardManagementPolicyProvider::UserMayLoad(), to
restore supervised users' ability to install themes.

Bug: 1066244
Change-Id: I9a90d2408545de6d28ec38c90627f1037cf143d8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2128374Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Reviewed-by: James Cook <jamescook@chromium.org>
Commit-Queue: Toby Huang <tobyhuang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#755054}

chrome/browser/extensions/extension_management.h

@@ -182,7 +182,7 @@ class ExtensionManagement : public KeyedService {
                            std::string* required_version) const;
 
   // Returns whether the profile associated with this instance is supervised.
-  bool IsChild() const { return is_child_; }
+  bool is_child() const { return is_child_; }
 
  private:
   using SettingsIdMap =

chrome/browser/extensions/extension_service_sync_unittest.cc

@@ -2728,6 +2728,25 @@ TEST_F(ExtensionServiceTestSupervised, ExtensionsLiteInstallAllowlisted) {
   histogram_tester.ExpectTotalCount("SupervisedUsers.ExtensionsAllowlist", 2);
 }
 
+// Tests that theme installation is not blocked for supervised users, even if
+// the id is not on the allowlist.
+TEST_F(ExtensionServiceTestSupervised, ExtensionsLiteThemesAllowed) {
+  InitSupervisedUserExtensionInstallFeatures(
+      SupervisedUserExtensionInstallFeatureMode::kLite);
+  InitServices(/*profile_is_supervised=*/true);
+
+  {
+    ManagementPrefUpdater pref_updater(testing_pref_service());
+    pref_updater.SetBlacklistedByDefault(true);
+  }
+
+  base::FilePath path = data_dir().AppendASCII("theme.crx");
+  const Extension* theme = InstallCRX(path, INSTALL_NEW);
+  ASSERT_TRUE(theme);
+  std::string id = theme->id();
+  EXPECT_TRUE(registry()->enabled_extensions().Contains(id));
+}
+
 #endif  // BUILDFLAG(ENABLE_SUPERVISED_USERS)
 
 // Tests sync behavior in the case of an item that starts out as an app and gets

chrome/browser/extensions/standard_management_policy_provider.cc

@@ -137,6 +137,12 @@ bool StandardManagementPolicyProvider::UserMayLoad(
   if (installation_mode == ExtensionManagement::INSTALLATION_BLOCKED ||
       installation_mode == ExtensionManagement::INSTALLATION_REMOVED) {
 #if BUILDFLAG(ENABLE_SUPERVISED_USERS)
+    if (IsSupervisedUserAllowlistExtensionInstallActive() &&
+        extension->is_theme()) {
+      // Themes should always be allowed, to maintain current functionality
+      // that supervised users already possess.
+      return true;
+    }
     RecordAllowlistExtensionUmaMetrics(
         UmaExtensionStateAllowlist::kAllowlistMiss, extension);
 #endif  // BUILDFLAG(ENABLE_SUPERVISED_USERS)
@@ -248,12 +254,17 @@ bool StandardManagementPolicyProvider::ReturnLoadError(
 }
 
 #if BUILDFLAG(ENABLE_SUPERVISED_USERS)
+bool StandardManagementPolicyProvider::
+    IsSupervisedUserAllowlistExtensionInstallActive() const {
+  return base::FeatureList::IsEnabled(
+             supervised_users::kSupervisedUserAllowlistExtensionInstall) &&
+         settings_->is_child() && settings_->BlacklistedByDefault();
+}
+
 void StandardManagementPolicyProvider::RecordAllowlistExtensionUmaMetrics(
     UmaExtensionStateAllowlist state,
     const Extension* extension) const {
-  if (base::FeatureList::IsEnabled(
-          supervised_users::kSupervisedUserAllowlistExtensionInstall) &&
-      settings_->IsChild() && settings_->BlacklistedByDefault()) {
+  if (IsSupervisedUserAllowlistExtensionInstallActive()) {
     // If extensions are blacklisted by default, then all extension installs
     // must go through the ExtensionInstallWhitelist. Record the whitelist hit
     // rate here.

chrome/browser/extensions/standard_management_policy_provider.h

@@ -72,6 +72,8 @@ class StandardManagementPolicyProvider : public ManagementPolicy::Provider {
                        base::string16* error) const;
 
 #if BUILDFLAG(ENABLE_SUPERVISED_USERS)
+  bool IsSupervisedUserAllowlistExtensionInstallActive() const;
+
   // TODO(crbug/1063104): Remove this function once full extensions launches.
   void RecordAllowlistExtensionUmaMetrics(UmaExtensionStateAllowlist state,
                                           const Extension* extension) const;