Add per-profile reporting client to SafeBrowsingPrivateEventRouter

This adds the basic internal changes to SafeBrowsingPrivateEventRouter needed to report per-profile events. This CL doesn't add new tests, as this is difficult without other per-profile CLs being submitted. Adding such tests is tracked in crbug.com/1159930 Bug: 1159533 Change-Id: I65f626941367fb31ac6005fa230624d01f861718 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2595833Reviewed-by: Daniel Rubery <drubery@chromium.org> Commit-Queue: Dominique Fauteux-Chapleau <domfc@chromium.org> Cr-Commit-Position: refs/heads/master@{#841152}

Add per-profile reporting client to SafeBrowsingPrivateEventRouter
This adds the basic internal changes to SafeBrowsingPrivateEventRouter needed to report per-profile events. This CL doesn't add new tests, as this is difficult without other per-profile CLs being submitted. Adding such tests is tracked in crbug.com/1159930 Bug: 1159533 Change-Id: I65f626941367fb31ac6005fa230624d01f861718 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2595833Reviewed-by: Daniel Rubery <drubery@chromium.org> Commit-Queue: Dominique Fauteux-Chapleau <domfc@chromium.org> Cr-Commit-Position: refs/heads/master@{#841152}
2e1d0d19 · Dominique Fauteux-Chapleau · Chromium LUCI CQ · a2478b8c · 2e1d0d19 · 2e1d0d19
Commit 2e1d0d19 authored Jan 07, 2021 by Dominique Fauteux-Chapleau Committed by Chromium LUCI CQ Jan 07, 2021
6 changed files
--- a/chrome/browser/enterprise/connectors/content_analysis_delegate_browsertest.cc
+++ b/chrome/browser/enterprise/connectors/content_analysis_delegate_browsertest.cc
@@ -217,9 +217,10 @@ class ContentAnalysisDelegateBrowserTest
                                               true);
    client_ = std::make_unique<policy::MockCloudPolicyClient>();
+    client_->SetDMToken(kDmToken);
    extensions::SafeBrowsingPrivateEventRouterFactory::GetForProfile(
        browser()->profile())
-        ->SetCloudPolicyClientForTesting(client_.get());
+        ->SetBrowserCloudPolicyClientForTesting(client_.get());
    extensions::SafeBrowsingPrivateEventRouterFactory::GetForProfile(
        browser()->profile())
        ->SetBinaryUploadServiceForTesting(FakeBinaryUploadServiceStorage());

--- a/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router.cc
+++ b/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router.cc
@@ -38,6 +38,7 @@
 #include "components/policy/core/common/cloud/device_management_service.h"
 #include "components/policy/core/common/cloud/machine_level_user_cloud_policy_manager.h"
 #include "components/policy/core/common/cloud/realtime_reporting_job_configuration.h"
+#include "components/policy/core/common/cloud/user_cloud_policy_manager.h"
 #include "components/prefs/pref_service.h"
 #include "components/safe_browsing/content/web_ui/safe_browsing_ui.h"
 #include "components/safe_browsing/core/common/safe_browsing_prefs.h"
@@ -70,6 +71,7 @@ const char kUserPolicyClientDescription[] = "a user";
 const char kChromeBrowserCloudManagementClientDescription[] =
    "a machine-level user";
 #endif
+const char kProfilePolicyClientDescription[] = "a profile-level user";
 void AddAnalysisConnectorVerdictToEvent(
    const enterprise_connectors::ContentAnalysisResponse::Result& result,
@@ -102,6 +104,11 @@ std::string MalwareRuleToThreatType(const std::string& rule_name) {
  }
 }
+bool IsClientValid(const std::string& dm_token,
+                   policy::CloudPolicyClient* client) {
+  return client && client->dm_token() == dm_token;
+}
 }  // namespace
 namespace extensions {
@@ -170,8 +177,10 @@ SafeBrowsingPrivateEventRouter::SafeBrowsingPrivateEventRouter(
 }
 SafeBrowsingPrivateEventRouter::~SafeBrowsingPrivateEventRouter() {
-  if (client_)
+  if (browser_client_)
-    client_->RemoveObserver(this);
+    browser_client_->RemoveObserver(this);
+  if (profile_client_)
+    profile_client_->RemoveObserver(this);
 }
 void SafeBrowsingPrivateEventRouter::OnPolicySpecifiedPasswordReuseDetected(
@@ -197,11 +206,12 @@ void SafeBrowsingPrivateEventRouter::OnPolicySpecifiedPasswordReuseDetected(
    event_router_->BroadcastEvent(std::move(extension_event));
  }
-  if (!IsRealtimeReportingEnabled())
+  auto settings = GetReportingSettings();
+  if (!settings.has_value())
    return;
  ReportRealtimeEvent(
-      kKeyPasswordReuseEvent,
+      kKeyPasswordReuseEvent, std::move(settings.value()),
      base::BindOnce(
          [](const std::string& url, const std::string& user_name,
             const bool is_phishing_url, const std::string& profile_user_name) {
@@ -232,10 +242,11 @@ void SafeBrowsingPrivateEventRouter::OnPolicySpecifiedPasswordChanged(
    event_router_->BroadcastEvent(std::move(extension_event));
  }
-  if (!IsRealtimeReportingEnabled())
+  auto settings = GetReportingSettings();
+  if (!settings.has_value())
    return;
-  ReportRealtimeEvent(kKeyPasswordChangedEvent,
+  ReportRealtimeEvent(kKeyPasswordChangedEvent, std::move(settings.value()),
                      base::BindOnce(
                          [](const std::string& user_name,
                             const std::string& profile_user_name) {
@@ -274,11 +285,12 @@ void SafeBrowsingPrivateEventRouter::OnDangerousDownloadOpened(
    event_router_->BroadcastEvent(std::move(extension_event));
  }
-  if (!IsRealtimeReportingEnabled())
+  auto settings = GetReportingSettings();
+  if (!settings.has_value())
    return;
  ReportRealtimeEvent(
-      kKeyDangerousDownloadEvent,
+      kKeyDangerousDownloadEvent, std::move(settings.value()),
      base::BindOnce(
          [](const std::string& url, const std::string& file_name,
             const std::string& download_digest_sha256,
@@ -332,7 +344,8 @@ void SafeBrowsingPrivateEventRouter::OnSecurityInterstitialShown(
    event_router_->BroadcastEvent(std::move(extension_event));
  }
-  if (!IsRealtimeReportingEnabled())
+  auto settings = GetReportingSettings();
+  if (!settings.has_value())
    return;
  PrefService* prefs = Profile::FromBrowserContext(context_)->GetPrefs();
@@ -341,7 +354,7 @@ void SafeBrowsingPrivateEventRouter::OnSecurityInterstitialShown(
          ? safe_browsing::EventResult::BLOCKED
          : safe_browsing::EventResult::WARNED;
  ReportRealtimeEvent(
-      kKeyInterstitialEvent,
+      kKeyInterstitialEvent, std::move(settings.value()),
      base::BindOnce(
          [](const std::string& url, const std::string& reason,
             int net_error_code, const std::string& user_name,
@@ -388,11 +401,12 @@ void SafeBrowsingPrivateEventRouter::OnSecurityInterstitialProceeded(
    event_router_->BroadcastEvent(std::move(extension_event));
  }
-  if (!IsRealtimeReportingEnabled())
+  auto settings = GetReportingSettings();
+  if (!settings.has_value())
    return;
  ReportRealtimeEvent(
-      kKeyInterstitialEvent,
+      kKeyInterstitialEvent, std::move(settings.value()),
      base::BindOnce(
          [](const std::string& url, const std::string& reason,
             int net_error_code, const std::string& user_name) {
@@ -421,9 +435,6 @@ void SafeBrowsingPrivateEventRouter::OnAnalysisConnectorResult(
    const enterprise_connectors::ContentAnalysisResponse::Result& result,
    const int64_t content_size,
    safe_browsing::EventResult event_result) {
-  if (!IsRealtimeReportingEnabled())
-    return;
  if (result.tag() == "malware") {
    DCHECK_EQ(1, result.triggered_rules().size());
    OnDangerousDeepScanningResult(
@@ -449,11 +460,12 @@ void SafeBrowsingPrivateEventRouter::OnDangerousDeepScanningResult(
    const std::string& malware_family,
    const std::string& malware_category,
    const std::string& evidence_locker_filepath) {
-  if (!IsRealtimeReportingEnabled())
+  auto settings = GetReportingSettings();
+  if (!settings.has_value())
    return;
  ReportRealtimeEvent(
-      kKeyDangerousDownloadEvent,
+      kKeyDangerousDownloadEvent, std::move(settings.value()),
      base::BindOnce(
          [](const std::string& url, const std::string& file_name,
             const std::string& download_digest_sha256,
@@ -509,11 +521,12 @@ void SafeBrowsingPrivateEventRouter::OnSensitiveDataEvent(
    const enterprise_connectors::ContentAnalysisResponse::Result& result,
    const int64_t content_size,
    safe_browsing::EventResult event_result) {
-  if (!IsRealtimeReportingEnabled())
+  auto settings = GetReportingSettings();
+  if (!settings.has_value())
    return;
  ReportRealtimeEvent(
-      kKeySensitiveDataEvent,
+      kKeySensitiveDataEvent, std::move(settings.value()),
      base::BindOnce(
          [](const enterprise_connectors::ContentAnalysisResponse::Result&
                 result,
@@ -565,11 +578,12 @@ void SafeBrowsingPrivateEventRouter::OnAnalysisConnectorWarningBypassed(
    safe_browsing::DeepScanAccessPoint access_point,
    const enterprise_connectors::ContentAnalysisResponse::Result& result,
    const int64_t content_size) {
-  if (!IsRealtimeReportingEnabled())
+  auto settings = GetReportingSettings();
+  if (!settings.has_value())
    return;
  ReportRealtimeEvent(
-      kKeySensitiveDataEvent,
+      kKeySensitiveDataEvent, std::move(settings.value()),
      base::BindOnce(
          [](const enterprise_connectors::ContentAnalysisResponse::Result&
                 result,
@@ -621,11 +635,12 @@ void SafeBrowsingPrivateEventRouter::OnUnscannedFileEvent(
    const std::string& reason,
    const int64_t content_size,
    safe_browsing::EventResult event_result) {
-  if (!IsRealtimeReportingEnabled())
+  auto settings = GetReportingSettings();
+  if (!settings.has_value())
    return;
  ReportRealtimeEvent(
-      kKeyUnscannedFileEvent,
+      kKeyUnscannedFileEvent, std::move(settings.value()),
      base::BindOnce(
          [](const std::string& url, const std::string& file_name,
             const std::string& download_digest_sha256,
@@ -670,11 +685,12 @@ void SafeBrowsingPrivateEventRouter::OnDangerousDownloadEvent(
    const std::string& mime_type,
    const int64_t content_size,
    safe_browsing::EventResult event_result) {
-  if (!IsRealtimeReportingEnabled())
+  auto settings = GetReportingSettings();
+  if (!settings.has_value())
    return;
  ReportRealtimeEvent(
-      kKeyDangerousDownloadEvent,
+      kKeyDangerousDownloadEvent, std::move(settings.value()),
      base::BindOnce(
          [](const std::string& url, const std::string& file_name,
             const std::string& download_digest_sha256,
@@ -713,11 +729,12 @@ void SafeBrowsingPrivateEventRouter::OnDangerousDownloadWarningBypassed(
    const std::string& threat_type,
    const std::string& mime_type,
    const int64_t content_size) {
-  if (!IsRealtimeReportingEnabled())
+  auto settings = GetReportingSettings();
+  if (!settings.has_value())
    return;
  ReportRealtimeEvent(
-      kKeyDangerousDownloadEvent,
+      kKeyDangerousDownloadEvent, std::move(settings.value()),
      base::BindOnce(
          [](const std::string& url, const std::string& file_name,
             const std::string& download_digest_sha256,
@@ -759,15 +776,20 @@ bool SafeBrowsingPrivateEventRouter::ShouldInitRealtimeReportingClient() {
  if (!IsRealtimeReportingAvailable()) {
    DVLOG(1) << "Safe browsing real-time event reporting is only available for "
-                "managed browsers or devices.";
+                "managed browsers, devices or users.";
    return false;
  }
  return true;
 }
-void SafeBrowsingPrivateEventRouter::SetCloudPolicyClientForTesting(
+void SafeBrowsingPrivateEventRouter::SetBrowserCloudPolicyClientForTesting(
+    policy::CloudPolicyClient* client) {
+  browser_client_ = client;
+}
+void SafeBrowsingPrivateEventRouter::SetProfileCloudPolicyClientForTesting(
    policy::CloudPolicyClient* client) {
-  client_ = client;
+  profile_client_ = client;
 }
 void SafeBrowsingPrivateEventRouter::SetBinaryUploadServiceForTesting(
@@ -780,9 +802,13 @@ void SafeBrowsingPrivateEventRouter::SetIdentityManagerForTesting(
  identity_manager_ = identity_manager;
 }
-void SafeBrowsingPrivateEventRouter::InitRealtimeReportingClient() {
+void SafeBrowsingPrivateEventRouter::InitRealtimeReportingClient(
-  // If already initialized, do nothing.
+    const enterprise_connectors::ReportingSettings& settings) {
-  if (client_) {
+  // If the corresponding client is already initialized, do nothing.
+  if ((settings.per_profile &&
+       IsClientValid(settings.dm_token, profile_client_)) ||
+      (!settings.per_profile &&
+       IsClientValid(settings.dm_token, browser_client_))) {
    DVLOG(2) << "Safe browsing real-time event reporting already initialized.";
    return;
  }
@@ -798,23 +824,47 @@ void SafeBrowsingPrivateEventRouter::InitRealtimeReportingClient() {
    return;
  }
+  policy::CloudPolicyClient* client = nullptr;
+  std::string policy_client_desc;
+#if defined(OS_CHROMEOS)
+  auto desc_and_client = InitBrowserReportingClient(settings.dm_token);
+#else
+  auto desc_and_client = settings.per_profile
+                             ? InitProfileReportingClient(settings.dm_token)
+                             : InitBrowserReportingClient(settings.dm_token);
+#endif
+  if (!desc_and_client.second)
+    return;
+  policy_client_desc = std::move(desc_and_client.first);
+  client = std::move(desc_and_client.second);
+  OnCloudPolicyClientAvailable(policy_client_desc, client);
+}
+std::pair<std::string, policy::CloudPolicyClient*>
+SafeBrowsingPrivateEventRouter::InitBrowserReportingClient(
+    const std::string& dm_token) {
  // |device_management_service| may be null in tests. If there is no device
  // management service don't enable the real-time reporting API since the
  // router won't be able to create the reporting server client below.
  policy::DeviceManagementService* device_management_service =
      g_browser_process->browser_policy_connector()
          ->device_management_service();
+  std::string policy_client_desc;
+#if defined(OS_CHROMEOS)
+  policy_client_desc = kPolicyClientDescription;
+#else
+  policy_client_desc = kChromeBrowserCloudManagementClientDescription;
+#endif
  if (!device_management_service) {
    DVLOG(2) << "Safe browsing real-time event requires a device management "
                "service.";
-    return;
+    return {policy_client_desc, nullptr};
  }
  policy::CloudPolicyClient* client = nullptr;
-  std::string policy_client_desc;
-#if BUILDFLAG(IS_CHROMEOS_ASH)
+#if defined(OS_CHROMEOS)
-  policy_client_desc = kPolicyClientDescription;
  auto* user = GetChromeOSUser();
  if (user) {
    auto* profile = chromeos::ProfileHelper::Get()->GetProfileByUser(user);
@@ -835,35 +885,16 @@ void SafeBrowsingPrivateEventRouter::InitRealtimeReportingClient() {
    LOG(ERROR) << "Could not determine who the user is.";
  }
 #else
-  policy_client_desc = kChromeBrowserCloudManagementClientDescription;
-  // Make sure we have a DM token to proceed.  During the lifetime of a running
-  // chrome browser, this can only change from empty to non-empty.  There are
-  // no cases where chrome starts with a dm token and then it goes away.
-  // When chrome starts without a dm token and determines that one is needed,
-  // browser startup is blocked until it is retrieved or an error occurs.  In
-  // the latter case, chrome won't try to retrieve it again until the next
-  // restart.
-  //
-  // Therefore, it is OK to retrieve the dm token once here on initialization
-  // of the router to determine if real-time reporting can be enabled or not.
-  auto settings =
-      enterprise_connectors::ConnectorsServiceFactory::GetForBrowserContext(
-          context_)
-          ->GetReportingSettings(
-              enterprise_connectors::ReportingConnector::SECURITY_EVENT);
  std::string client_id =
      policy::BrowserDMTokenStorage::Get()->RetrieveClientId();
-  if (!settings.has_value() || settings.value().dm_token.empty())
-    return;
  // Make sure DeviceManagementService has been initialized.
  device_management_service->ScheduleInitialization(0);
-  private_client_ = std::make_unique<policy::CloudPolicyClient>(
+  browser_private_client_ = std::make_unique<policy::CloudPolicyClient>(
      device_management_service, g_browser_process->shared_url_loader_factory(),
      policy::CloudPolicyClient::DeviceDMTokenCallback());
-  client = private_client_.get();
+  client = browser_private_client_.get();
  // TODO(crbug.com/1069049): when we decide to add the extra URL parameters to
  // the uploaded reports, do the following:
@@ -872,39 +903,73 @@ void SafeBrowsingPrivateEventRouter::InitRealtimeReportingClient() {
  if (!client->is_registered()) {
    client->SetupRegistration(
-        settings.value().dm_token, client_id,
+        dm_token, client_id,
        /*user_affiliation_ids=*/std::vector<std::string>());
  }
 #endif
-  OnCloudPolicyClientAvailable(policy_client_desc, client);
+  return {policy_client_desc, client};
+}
+#if !defined(OS_CHROMEOS)
+std::pair<std::string, policy::CloudPolicyClient*>
+SafeBrowsingPrivateEventRouter::InitProfileReportingClient(
+    const std::string& dm_token) {
+  policy::UserCloudPolicyManager* policy_manager =
+      Profile::FromBrowserContext(context_)->GetUserCloudPolicyManager();
+  if (!policy_manager || !policy_manager->core() ||
+      !policy_manager->core()->client()) {
+    return {kProfilePolicyClientDescription, nullptr};
+  }
+  profile_private_client_ = std::make_unique<policy::CloudPolicyClient>(
+      policy_manager->core()->client()->service(),
+      g_browser_process->shared_url_loader_factory(),
+      policy::CloudPolicyClient::DeviceDMTokenCallback());
+  policy::CloudPolicyClient* client = profile_private_client_.get();
+  // TODO(crbug.com/1069049): when we decide to add the extra URL parameters to
+  // the uploaded reports, do the following:
+  //     client->add_connector_url_params(base::FeatureList::IsEnabled(
+  //        enterprise_connectors::kEnterpriseConnectorsEnabled));
+  client->SetupRegistration(dm_token,
+                            policy_manager->core()->client()->client_id(),
+                            /*user_affiliation_ids*/ {});
+  return {kProfilePolicyClientDescription, client};
 }
+#endif  // !defined(OS_CHROMEOS)
 void SafeBrowsingPrivateEventRouter::OnCloudPolicyClientAvailable(
    const std::string& policy_client_desc,
    policy::CloudPolicyClient* client) {
-  client_ = client;
+  if (policy_client_desc == kProfilePolicyClientDescription)
-  if (client_ == nullptr) {
+    profile_client_ = client;
+  else
+    browser_client_ = client;
+  if (client == nullptr) {
    LOG(ERROR) << "Could not obtain " << policy_client_desc
               << " for safe browsing real-time event reporting.";
    return;
  }
-  client_->AddObserver(this);
+  client->AddObserver(this);
  VLOG(1) << "Ready for safe browsing real-time event reporting.";
 }
-bool SafeBrowsingPrivateEventRouter::IsRealtimeReportingEnabled() {
+base::Optional<enterprise_connectors::ReportingSettings>
-  auto settings =
+SafeBrowsingPrivateEventRouter::GetReportingSettings() {
-      enterprise_connectors::ConnectorsServiceFactory::GetForBrowserContext(
+  return enterprise_connectors::ConnectorsServiceFactory::GetForBrowserContext(
-          context_)
+             context_)
-          ->GetReportingSettings(
+      ->GetReportingSettings(
-              enterprise_connectors::ReportingConnector::SECURITY_EVENT);
+          enterprise_connectors::ReportingConnector::SECURITY_EVENT);
-  return settings.has_value();
 }
 void SafeBrowsingPrivateEventRouter::IfAuthorized(
+    const std::string& dm_token,
    base::OnceCallback<void(bool)> cont) {
  if (!binary_upload_service_ && g_browser_process) {
    binary_upload_service_ =
@@ -912,30 +977,30 @@ void SafeBrowsingPrivateEventRouter::IfAuthorized(
            Profile::FromBrowserContext(context_));
  }
-  auto settings =
-      enterprise_connectors::ConnectorsServiceFactory::GetForBrowserContext(
-          context_)
-          ->GetReportingSettings(
-              enterprise_connectors::ReportingConnector::SECURITY_EVENT);
  // TODO(crbug/1069049): Use reporting URL.
-  if (binary_upload_service_ && settings.has_value())
+  if (binary_upload_service_)
    binary_upload_service_->IsAuthorized(
-        GURL(), std::move(cont), settings.value().dm_token,
+        GURL(), std::move(cont), dm_token,
        enterprise_connectors::AnalysisConnector::
            ANALYSIS_CONNECTOR_UNSPECIFIED);
 }
 void SafeBrowsingPrivateEventRouter::ReportRealtimeEvent(
    const std::string& name,
+    enterprise_connectors::ReportingSettings settings,
    EventBuilder event_builder) {
-  IfAuthorized(base::BindOnce(
+  // Copy the DM token since |settings| is about to move.
-      &SafeBrowsingPrivateEventRouter::ReportRealtimeEventCallback,
+  std::string dm_token = settings.dm_token;
-      weak_ptr_factory_.GetWeakPtr(), name, std::move(event_builder)));
+  IfAuthorized(dm_token,
+               base::BindOnce(
+                   &SafeBrowsingPrivateEventRouter::ReportRealtimeEventCallback,
+                   weak_ptr_factory_.GetWeakPtr(), name, std::move(settings),
+                   std::move(event_builder)));
 }
 void SafeBrowsingPrivateEventRouter::ReportRealtimeEventCallback(
    const std::string& name,
+    enterprise_connectors::ReportingSettings settings,
    EventBuilder event_builder,
    bool authorized) {
  // Ignore the event if we know we can't report it.
@@ -945,9 +1010,11 @@ void SafeBrowsingPrivateEventRouter::ReportRealtimeEventCallback(
  }
  // Make sure real-time reporting is initialized.
-  InitRealtimeReportingClient();
+  InitRealtimeReportingClient(settings);
-  if (!client_)
+  if ((settings.per_profile && !profile_client_) ||
+      (!settings.per_profile && !browser_client_)) {
    return;
+  }
  // Format the current time (UTC) in RFC3339 format.
  base::Time::Exploded now_exploded;
@@ -973,7 +1040,8 @@ void SafeBrowsingPrivateEventRouter::ReportRealtimeEventCallback(
  base::Value event_list(base::Value::Type::LIST);
  event_list.Append(std::move(wrapper));
-  client_->UploadSecurityEventReport(
+  auto* client = settings.per_profile ? profile_client_ : browser_client_;
+  client->UploadSecurityEventReport(
      context_,
      policy::RealtimeReportingJobConfiguration::BuildReport(
          std::move(event_list),
@@ -1008,9 +1076,9 @@ bool SafeBrowsingPrivateEventRouter::IsRealtimeReportingAvailable() {
  auto* user = GetChromeOSUser();
  return user && user->IsAffiliated();
 #else
-  return g_browser_process->browser_policy_connector()
+  // The management status is determined by the settings returned by
-      ->chrome_browser_cloud_management_controller()
+  // ConnectorsService.
-      ->IsEnabled();
+  return true;
 #endif
 }

--- a/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router.h
+++ b/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router.h
@@ -14,6 +14,7 @@
 #include "base/memory/weak_ptr.h"
 #include "base/values.h"
 #include "build/chromeos_buildflags.h"
+#include "chrome/browser/enterprise/connectors/common.h"
 #include "chrome/browser/safe_browsing/cloud_content_scanning/deep_scanning_utils.h"
 #include "components/keyed_service/core/keyed_service.h"
 #include "components/policy/core/common/cloud/cloud_policy_client.h"
@@ -190,11 +191,12 @@ class SafeBrowsingPrivateEventRouter
      const int64_t content_size);
  // Returns true if enterprise real-time reporting should be initialized,
-  // checking both the feature flag and whether the browser is managed.  This
+  // checking both the feature flag. This function is public so that it can
-  // function is public so that it can called in tests.
+  // called in tests.
  static bool ShouldInitRealtimeReportingClient();
-  void SetCloudPolicyClientForTesting(policy::CloudPolicyClient* client);
+  void SetBrowserCloudPolicyClientForTesting(policy::CloudPolicyClient* client);
+  void SetProfileCloudPolicyClientForTesting(policy::CloudPolicyClient* client);
  void SetBinaryUploadServiceForTesting(
      safe_browsing::BinaryUploadService* binary_upload_service);
@@ -212,29 +214,50 @@ class SafeBrowsingPrivateEventRouter
  // directly by tests. Events are created lazily to avoid doing useless work if
  // they are discarded.
  using EventBuilder = base::OnceCallback<base::Value()>;
-  void ReportRealtimeEventCallback(const std::string& name,
+  void ReportRealtimeEventCallback(
-                                   EventBuilder event_builder,
+      const std::string& name,
-                                   bool authorized);
+      enterprise_connectors::ReportingSettings settings,
+      EventBuilder event_builder,
+      bool authorized);
 private:
-  // Initialize the real-time report client if needed.  This client is used only
+  // Initialize a real-time report client if needed.  This client is used only
  // if real-time reporting is enabled, the machine is properly reigistered
  // with CBCM and the appropriate policies are enabled.
-  void InitRealtimeReportingClient();
+  void InitRealtimeReportingClient(
+      const enterprise_connectors::ReportingSettings& settings);
+  // Sub-methods called by InitRealtimeReportingClient to make appropriate
+  // verifications and initialize the corresponding client. Returns a policy
+  // client description and a client, which can be nullptr if it can't be
+  // initialized.
+  std::pair<std::string, policy::CloudPolicyClient*> InitBrowserReportingClient(
+      const std::string& dm_token);
+#if !defined(OS_CHROMEOS)
+  std::pair<std::string, policy::CloudPolicyClient*> InitProfileReportingClient(
+      const std::string& dm_token);
+#endif
  // Continues execution if the client is authorized to do so.
-  void IfAuthorized(base::OnceCallback<void(bool)> cont);
+  void IfAuthorized(const std::string& dm_token,
+                    base::OnceCallback<void(bool)> cont);
  // Determines if the real-time reporting feature is enabled.
-  bool IsRealtimeReportingEnabled();
+  // Obtain settings to apply to a reporting event from ConnectorsService.
+  // base::nullopt represents that reporting should not be done.
+  base::Optional<enterprise_connectors::ReportingSettings>
+  GetReportingSettings();
  // Called whenever the real-time reporting policy changes.
  void RealtimeReportingPrefChanged(const std::string& pref);
  // Report safe browsing event through real-time reporting channel, if enabled.
  // Declared as virtual for tests.
-  virtual void ReportRealtimeEvent(const std::string&,
+  virtual void ReportRealtimeEvent(
-                                   EventBuilder event_builder);
+      const std::string&,
+      enterprise_connectors::ReportingSettings settings,
+      EventBuilder event_builder);
  // Create a privately owned cloud policy client for events routing.
  void CreatePrivateCloudPolicyClient(
@@ -291,12 +314,17 @@ class SafeBrowsingPrivateEventRouter
  signin::IdentityManager* identity_manager_ = nullptr;
  EventRouter* event_router_ = nullptr;
  safe_browsing::BinaryUploadService* binary_upload_service_ = nullptr;
-  // The cloud policy client used to upload events to the cloud. This client
-  // is never used to fetch policies. This pointer is not owned by the class.
+  // The cloud policy clients used to upload browser events and profile events
-  policy::CloudPolicyClient* client_ = nullptr;
+  // to the cloud. These clients are never used to fetch policies. These
-  // The |private_client_| is used on platforms where we cannot just get a
+  // pointers are not owned by the class.
-  // client and we create our own (used through |client_|).
+  policy::CloudPolicyClient* browser_client_ = nullptr;
-  std::unique_ptr<policy::CloudPolicyClient> private_client_;
+  policy::CloudPolicyClient* profile_client_ = nullptr;
+  // The private clients are used on platforms where we cannot just get a
+  // client and we create our own (used through the above client pointers).
+  std::unique_ptr<policy::CloudPolicyClient> browser_private_client_;
+  std::unique_ptr<policy::CloudPolicyClient> profile_private_client_;
  base::WeakPtrFactory<SafeBrowsingPrivateEventRouter> weak_ptr_factory_{this};
  DISALLOW_COPY_AND_ASSIGN(SafeBrowsingPrivateEventRouter);

--- a/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router_unittest.cc
+++ b/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router_unittest.cc
@@ -82,8 +82,10 @@ class FakeAuthorizedSafeBrowsingPrivateEventRouter
 private:
  void ReportRealtimeEvent(const std::string& name,
+                           enterprise_connectors::ReportingSettings settings,
                           EventBuilder event_builder) override {
-    ReportRealtimeEventCallback(name, std::move(event_builder), true);
+    ReportRealtimeEventCallback(name, std::move(settings),
+                                std::move(event_builder), true);
  }
 };
@@ -96,8 +98,10 @@ class FakeUnauthorizedSafeBrowsingPrivateEventRouter
 private:
  void ReportRealtimeEvent(const std::string& name,
+                           enterprise_connectors::ReportingSettings settings,
                           EventBuilder event_builder) override {
-    ReportRealtimeEventCallback(name, std::move(event_builder), false);
+    ReportRealtimeEventCallback(name, std::move(settings),
+                                std::move(event_builder), false);
  }
 };
@@ -237,8 +241,9 @@ class SafeBrowsingPrivateEventRouterTest : public testing::Test {
    // Set a mock cloud policy client in the router.
    client_ = std::make_unique<policy::MockCloudPolicyClient>();
+    client_->SetDMToken("fake-token");
    SafeBrowsingPrivateEventRouterFactory::GetForProfile(profile_)
-        ->SetCloudPolicyClientForTesting(client_.get());
+        ->SetBrowserCloudPolicyClientForTesting(client_.get());
  }
  void SetUpRouters(bool realtime_reporting_enable = true,
@@ -995,7 +1000,7 @@ class SafeBrowsingIsRealtimeReportingEnabledTest
  }
  bool should_init() {
-#if BUILDFLAG(GOOGLE_CHROME_BRANDING) && !BUILDFLAG(IS_CHROMEOS_ASH)
+#if !BUILDFLAG(IS_CHROMEOS_ASH)
    return is_feature_flag_enabled_;
 #else
    return is_feature_flag_enabled_ && is_manageable_;
@@ -1031,12 +1036,10 @@ TEST_P(SafeBrowsingIsRealtimeReportingEnabledTest, CheckRealtimeReport) {
      api::safe_browsing_private::OnPolicySpecifiedPasswordChanged::kEventName);
  event_router_->AddEventObserver(&event_observer);
-#if BUILDFLAG(GOOGLE_CHROME_BRANDING) && !BUILDFLAG(IS_CHROMEOS_ASH)
  bool should_report =
      is_feature_flag_enabled_ && is_policy_enabled_ && is_authorized_;
-#else
+#if BUILDFLAG(IS_CHROMEOS_ASH)
-  bool should_report = is_feature_flag_enabled_ && is_manageable_ &&
+  should_report &= is_manageable_;
-                       is_policy_enabled_ && is_authorized_;
 #endif
  if (should_report) {

--- a/chrome/browser/safe_browsing/download_protection/deep_scanning_browsertest.cc
+++ b/chrome/browser/safe_browsing/download_protection/deep_scanning_browsertest.cc
@@ -118,9 +118,10 @@ class DownloadDeepScanningBrowserTest
  void SetUpReporting() {
    SetOnSecurityEventReporting(browser()->profile()->GetPrefs(), true);
    client_ = std::make_unique<policy::MockCloudPolicyClient>();
+    client_->SetDMToken("dm_token");
    extensions::SafeBrowsingPrivateEventRouterFactory::GetForProfile(
        browser()->profile())
-        ->SetCloudPolicyClientForTesting(client_.get());
+        ->SetBrowserCloudPolicyClientForTesting(client_.get());
    identity_test_environment_ =
        std::make_unique<signin::IdentityTestEnvironment>();
    identity_test_environment_->MakePrimaryAccountAvailable(kUserName);

--- a/chrome/browser/safe_browsing/download_protection/deep_scanning_request_unittest.cc
+++ b/chrome/browser/safe_browsing/download_protection/deep_scanning_request_unittest.cc
@@ -431,7 +431,7 @@ class DeepScanningReportingTest : public DeepScanningRequestTest {
            profile_,
            base::BindRepeating(&BuildSafeBrowsingPrivateEventRouter));
    extensions::SafeBrowsingPrivateEventRouterFactory::GetForProfile(profile_)
-        ->SetCloudPolicyClientForTesting(client_.get());
+        ->SetBrowserCloudPolicyClientForTesting(client_.get());
    extensions::SafeBrowsingPrivateEventRouterFactory::GetForProfile(profile_)
        ->SetBinaryUploadServiceForTesting(
            download_protection_service_.GetFakeBinaryUploadService());
@@ -448,7 +448,7 @@ class DeepScanningReportingTest : public DeepScanningRequestTest {
  void TearDown() override {
    extensions::SafeBrowsingPrivateEventRouterFactory::GetForProfile(profile_)
-        ->SetCloudPolicyClientForTesting(nullptr);
+        ->SetBrowserCloudPolicyClientForTesting(nullptr);
    DeepScanningRequestTest::TearDown();
  }