system-proxy: Start System-proxy worker for ARC++

This CL starts the System-proxy worker which tunnels ARC++ traffic
according to the |ArcEnabled| policy and forwards the address of the
local proxy to ARC++ through the |ArcSettingsService|.
It also introduces a new user preference that keeps track of the
address of the local proxy worker and syncs with ARC when the address
changes or System-proxy is disabled by policy.

Bug: 1042639
Test: unit tests, browser test, manual test on DUT
Change-Id: Ibe84d74353d5f75376393e7cd8745f63db073de7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2323521Reviewed-by: Dominic Battré <battre@chromium.org>
Reviewed-by: David Jacobo <djacobo@chromium.org>
Reviewed-by: Omar Morsi <omorsi@google.com>
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Commit-Queue: Andreea-Elena Costinas <acostinas@google.com>
Cr-Commit-Position: refs/heads/master@{#795459}

chrome/browser/chromeos/arc/intent_helper/arc_settings_service.cc

@@ -51,6 +51,7 @@
 #include "components/proxy_config/pref_proxy_config_tracker_impl.h"
 #include "components/proxy_config/proxy_config_dictionary.h"
 #include "components/proxy_config/proxy_config_pref_names.h"
+#include "net/base/url_util.h"
 #include "net/proxy_resolution/proxy_bypass_rules.h"
 #include "net/proxy_resolution/proxy_config.h"
 #include "third_party/blink/public/common/page/page_zoom.h"
@@ -63,6 +64,7 @@ constexpr char kSetFontScaleAction[] =
     "org.chromium.arc.intent_helper.SET_FONT_SCALE";
 constexpr char kSetPageZoomAction[] =
     "org.chromium.arc.intent_helper.SET_PAGE_ZOOM";
+constexpr char kSetProxyAction[] = "org.chromium.arc.intent_helper.SET_PROXY";
 
 constexpr char kArcProxyBypassListDelimiter[] = ",";
 
@@ -172,6 +174,8 @@ class ArcSettingsServiceImpl
   void SyncLocale() const;
   void SyncLocationServiceEnabled() const;
   void SyncProxySettings() const;
+  bool IsSystemProxyActive() const;
+  void SyncProxySettingsForSystemProxy() const;
   void SyncReportingConsent(bool initial_sync) const;
   void SyncPictureInPictureEnabled() const;
   void SyncSelectToSpeakEnabled() const;
@@ -284,7 +288,8 @@ void ArcSettingsServiceImpl::OnPrefChanged(const std::string& pref_name) const {
     SyncUse24HourClock();
   } else if (pref_name == ::prefs::kResolveTimezoneByGeolocationMethod) {
     SyncTimeZoneByGeolocation();
-  } else if (pref_name == proxy_config::prefs::kProxy) {
+  } else if (pref_name == proxy_config::prefs::kProxy ||
+             pref_name == ::prefs::kSystemProxyUserTrafficHostAndPort) {
     SyncProxySettings();
   } else {
     LOG(ERROR) << "Unknown pref changed.";
@@ -344,6 +349,7 @@ void ArcSettingsServiceImpl::StartObservingSettingsChanges() {
   AddPrefToObserve(ash::prefs::kAccessibilitySwitchAccessEnabled);
   AddPrefToObserve(ash::prefs::kAccessibilityVirtualKeyboardEnabled);
   AddPrefToObserve(::prefs::kResolveTimezoneByGeolocationMethod);
+  AddPrefToObserve(::prefs::kSystemProxyUserTrafficHostAndPort);
   AddPrefToObserve(::prefs::kUse24HourClock);
   AddPrefToObserve(proxy_config::prefs::kProxy);
   AddPrefToObserve(onc::prefs::kDeviceOpenNetworkConfiguration);
@@ -482,13 +488,16 @@ void ArcSettingsServiceImpl::SyncProxySettings() const {
   std::unique_ptr<ProxyConfigDictionary> proxy_config_dict =
       chromeos::ProxyConfigServiceImpl::GetActiveProxyConfigDictionary(
           GetPrefs(), g_browser_process->local_state());
-  if (!proxy_config_dict)
-    return;
 
   ProxyPrefs::ProxyMode mode;
   if (!proxy_config_dict || !proxy_config_dict->GetMode(&mode))
     mode = ProxyPrefs::MODE_DIRECT;
 
+  if (mode != ProxyPrefs::MODE_DIRECT && IsSystemProxyActive()) {
+    SyncProxySettingsForSystemProxy();
+    return;
+  }
+
   base::DictionaryValue extras;
   extras.SetString("mode", ProxyPrefs::ProxyModeToString(mode));
 
@@ -540,7 +549,36 @@ void ArcSettingsServiceImpl::SyncProxySettings() const {
       return;
   }
 
-  SendSettingsBroadcast("org.chromium.arc.intent_helper.SET_PROXY", extras);
+  SendSettingsBroadcast(kSetProxyAction, extras);
+}
+
+bool ArcSettingsServiceImpl::IsSystemProxyActive() const {
+  if (!profile_->GetPrefs()->HasPrefPath(
+          ::prefs::kSystemProxyUserTrafficHostAndPort)) {
+    return false;
+  }
+
+  const std::string proxy_host_and_port = profile_->GetPrefs()->GetString(
+      ::prefs::kSystemProxyUserTrafficHostAndPort);
+  // System-proxy can be active, but the network namespace for the worker
+  // process is not yet configured.
+  return !proxy_host_and_port.empty();
+}
+
+void ArcSettingsServiceImpl::SyncProxySettingsForSystemProxy() const {
+  const std::string proxy_host_and_port = profile_->GetPrefs()->GetString(
+      ::prefs::kSystemProxyUserTrafficHostAndPort);
+  std::string host;
+  int port;
+  if (!net::ParseHostAndPort(proxy_host_and_port, &host, &port))
+    return;
+
+  base::DictionaryValue extras;
+  extras.SetString(
+      "mode", ProxyPrefs::ProxyModeToString(ProxyPrefs::MODE_FIXED_SERVERS));
+  extras.SetString("host", host);
+  extras.SetInteger("port", port);
+  SendSettingsBroadcast(kSetProxyAction, extras);
 }
 
 void ArcSettingsServiceImpl::SyncReportingConsent(bool initial_sync) const {

chrome/browser/chromeos/arc/intent_helper/arc_settings_service_browsertest.cc

@@ -18,6 +18,7 @@
 #include "chrome/browser/chromeos/policy/configuration_policy_handler_chromeos.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/ui/browser.h"
+#include "chrome/common/pref_names.h"
 #include "chrome/test/base/in_process_browser_test.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/shill/shill_profile_client.h"
@@ -518,6 +519,79 @@ IN_PROC_BROWSER_TEST_F(ArcSettingsServiceTest, ONCProxyPolicyTest) {
             1);
 }
 
+// Test to verify that, when enabled, the local proxy address is synced instead
+// of the real proxy set via policy.
+IN_PROC_BROWSER_TEST_F(ArcSettingsServiceTest,
+                       SystemProxyAddressForwardedTest) {
+  fake_intent_helper_instance_->clear_broadcasts();
+
+  policy::PolicyMap policy;
+  policy.Set(policy::key::kOpenNetworkConfiguration,
+             policy::POLICY_LEVEL_MANDATORY, policy::POLICY_SCOPE_USER,
+             policy::POLICY_SOURCE_CLOUD, base::Value(kONCPolicy), nullptr);
+  UpdatePolicy(policy);
+
+  base::Value expected_proxy_config(base::Value::Type::DICTIONARY);
+  expected_proxy_config.SetKey(
+      "mode", base::Value(ProxyPrefs::kPacScriptProxyModeName));
+  expected_proxy_config.SetKey("pacUrl", base::Value(kONCPacUrl));
+
+  // Set the user preference to indicate that ARC should connect to
+  // System-proxy.
+  browser()->profile()->GetPrefs()->Set(
+      ::prefs::kSystemProxyUserTrafficHostAndPort,
+      base::Value("local_proxy:3128"));
+  RunUntilIdle();
+
+  base::Value expected_proxy_config_system_proxy(base::Value::Type::DICTIONARY);
+  expected_proxy_config_system_proxy.SetKey(
+      "mode", base::Value(ProxyPrefs::kFixedServersProxyModeName));
+  expected_proxy_config_system_proxy.SetKey("host", base::Value("local_proxy"));
+  expected_proxy_config_system_proxy.SetIntKey("port", 3128);
+
+  // Unset the System-proxy preference to verify that ARC syncs proxy configs
+  // correctly when System-proxy is disabled.
+  browser()->profile()->GetPrefs()->Set(
+      ::prefs::kSystemProxyUserTrafficHostAndPort, base::Value(""));
+  RunUntilIdle();
+
+  EXPECT_EQ(CountProxyBroadcasts(
+                fake_intent_helper_instance_->broadcasts(),
+                {&expected_proxy_config, &expected_proxy_config_system_proxy,
+                 &expected_proxy_config}),
+            3);
+}
+
+// Test to verify that the address of the local proxy is not forwarded if
+// there's no proxy set in the browser.
+IN_PROC_BROWSER_TEST_F(ArcSettingsServiceTest,
+                       SystemProxyAddressNotForwardedForDirectMode) {
+  fake_intent_helper_instance_->clear_broadcasts();
+
+  policy::PolicyMap policy;
+  // Apply ONC policy with direct proxy.
+  policy.Set(policy::key::kDeviceOpenNetworkConfiguration,
+             policy::POLICY_LEVEL_MANDATORY, policy::POLICY_SCOPE_MACHINE,
+             policy::POLICY_SOURCE_CLOUD, base::Value(kDeviceONCPolicy),
+             nullptr);
+  UpdatePolicy(policy);
+
+  // Set the user preference to indicate that ARC should connect to
+  // System-proxy.
+  browser()->profile()->GetPrefs()->Set(
+      ::prefs::kSystemProxyUserTrafficHostAndPort,
+      base::Value("local_proxy:3128"));
+  RunUntilIdle();
+
+  base::Value expected_proxy_config(base::Value::Type::DICTIONARY);
+  expected_proxy_config.SetKey("mode",
+                               base::Value(ProxyPrefs::kDirectProxyModeName));
+
+  EXPECT_EQ(CountProxyBroadcasts(fake_intent_helper_instance_->broadcasts(),
+                                 {&expected_proxy_config}),
+            1);
+}
+
 // Proxy policy has a higher priority than proxy default settings.
 IN_PROC_BROWSER_TEST_F(ArcSettingsServiceTest, TwoSourcesTest) {
   fake_intent_helper_instance_->clear_broadcasts();

chrome/browser/chromeos/policy/system_proxy_manager.cc

@@ -15,6 +15,7 @@
 #include "chromeos/network/network_event_log.h"
 #include "chromeos/settings/cros_settings_names.h"
 #include "chromeos/settings/cros_settings_provider.h"
+#include "components/arc/arc_prefs.h"
 #include "components/prefs/pref_change_registrar.h"
 #include "components/prefs/pref_registry_simple.h"
 #include "components/prefs/pref_service.h"
@@ -81,8 +82,13 @@ void SystemProxyManager::StartObservingPrimaryProfilePrefs(Profile* profile) {
       prefs::kKerberosActivePrincipalName,
       base::BindRepeating(&SystemProxyManager::OnKerberosAccountChanged,
                           base::Unretained(this)));
+  profile_pref_change_registrar_->Add(
+      arc::prefs::kArcEnabled,
+      base::BindRepeating(&SystemProxyManager::OnArcEnabledChanged,
+                          weak_factory_.GetWeakPtr()));
   if (system_proxy_enabled_) {
     OnKerberosAccountChanged();
+    OnArcEnabledChanged();
   }
 }
 
@@ -131,6 +137,7 @@ void SystemProxyManager::OnSystemProxySettingsPolicyChanged() {
         request, base::BindOnce(&SystemProxyManager::OnShutDownProcess,
                                 weak_factory_.GetWeakPtr()));
     system_services_address_.clear();
+    SetUserTrafficProxyPref(std::string());
     return;
   }
 
@@ -156,6 +163,11 @@ void SystemProxyManager::OnSystemProxySettingsPolicyChanged() {
   chromeos::SystemProxyClient::Get()->SetAuthenticationDetails(
       request, base::BindOnce(&SystemProxyManager::OnSetAuthenticationDetails,
                               weak_factory_.GetWeakPtr()));
+  // Fire once to cover the case where the SystemProxySetting policy is set
+  // during a user session.
+  if (IsArcEnabled()) {
+    OnArcEnabledChanged();
+  }
 }
 
 void SystemProxyManager::OnKerberosEnabledChanged() {
@@ -169,6 +181,32 @@ void SystemProxyManager::OnKerberosAccountChanged() {
   SendKerberosAuthenticationDetails();
 }
 
+void SystemProxyManager::OnArcEnabledChanged() {
+  if (!system_proxy_enabled_) {
+    return;
+  }
+
+  if (!IsArcEnabled()) {
+    system_proxy::ShutDownRequest request;
+    request.set_traffic_type(system_proxy::TrafficOrigin::USER);
+    chromeos::SystemProxyClient::Get()->ShutDownProcess(
+        request, base::BindOnce(&SystemProxyManager::OnShutDownProcess,
+                                weak_factory_.GetWeakPtr()));
+    return;
+  }
+
+  system_proxy::SetAuthenticationDetailsRequest request;
+  request.set_traffic_type(system_proxy::TrafficOrigin::USER);
+  chromeos::SystemProxyClient::Get()->SetAuthenticationDetails(
+      request, base::BindOnce(&SystemProxyManager::OnSetAuthenticationDetails,
+                              weak_factory_.GetWeakPtr()));
+}
+
+bool SystemProxyManager::IsArcEnabled() const {
+  return primary_profile_ &&
+         primary_profile_->GetPrefs()->GetBoolean(arc::prefs::kArcEnabled);
+}
+
 void SystemProxyManager::SendKerberosAuthenticationDetails() {
   if (!system_proxy_enabled_) {
     return;
@@ -199,6 +237,12 @@ void SystemProxyManager::SetSystemServicesProxyUrlForTest(
   system_services_address_ = local_proxy_url;
 }
 
+// static
+void SystemProxyManager::RegisterProfilePrefs(PrefRegistrySimple* registry) {
+  registry->RegisterStringPref(prefs::kSystemProxyUserTrafficHostAndPort,
+                               /*default_value=*/std::string());
+}
+
 void SystemProxyManager::OnSetAuthenticationDetails(
     const system_proxy::SetAuthenticationDetailsResponse& response) {
   if (response.has_error_message()) {
@@ -230,7 +274,18 @@ void SystemProxyManager::OnWorkerActive(
     const system_proxy::WorkerActiveSignalDetails& details) {
   if (details.traffic_origin() == system_proxy::TrafficOrigin::SYSTEM) {
     system_services_address_ = details.local_proxy_url();
+    return;
+  }
+  SetUserTrafficProxyPref(details.local_proxy_url());
+}
+
+void SystemProxyManager::SetUserTrafficProxyPref(
+    const std::string& user_traffic_address) {
+  if (!primary_profile_) {
+    return;
   }
+  primary_profile_->GetPrefs()->SetString(
+      prefs::kSystemProxyUserTrafficHostAndPort, user_traffic_address);
 }
 
 void SystemProxyManager::OnAuthenticationRequired(
@@ -287,7 +342,7 @@ void SystemProxyManager::LookupProxyAuthCredentialsCallback(
   user_credentials.set_password(password);
 
   system_proxy::SetAuthenticationDetailsRequest request;
-  request.set_traffic_type(system_proxy::TrafficOrigin::SYSTEM);
+  request.set_traffic_type(system_proxy::TrafficOrigin::ALL);
   *request.mutable_credentials() = user_credentials;
   *request.mutable_protection_space() = protection_space;
 

chrome/browser/chromeos/policy/system_proxy_manager.h

@@ -21,6 +21,7 @@ class SetAuthenticationDetailsResponse;
 class ShutDownResponse;
 }  // namespace system_proxy
 
+class PrefRegistrySimple;
 class PrefService;
 class PrefChangeRegistrar;
 class Profile;
@@ -59,6 +60,9 @@ class SystemProxyManager {
   void SetSystemProxyEnabledForTest(bool enabled);
   void SetSystemServicesProxyUrlForTest(const std::string& local_proxy_url);
 
+  // Registers prefs stored in user profiles.
+  static void RegisterProfilePrefs(PrefRegistrySimple* registry);
+
  private:
   void OnSetAuthenticationDetails(
       const system_proxy::SetAuthenticationDetailsResponse& response);
@@ -68,6 +72,10 @@ class SystemProxyManager {
 
   void OnKerberosEnabledChanged();
   void OnKerberosAccountChanged();
+  void OnArcEnabledChanged();
+  // Sets the value of the pref |kSystemProxyUserTrafficHostAndPort|.
+  void SetUserTrafficProxyPref(const std::string& user_traffic_address);
+  bool IsArcEnabled() const;
 
   void SendKerberosAuthenticationDetails();
 

chrome/browser/chromeos/policy/system_proxy_manager_unittest.cc

@@ -16,6 +16,7 @@
 #include "chrome/test/base/testing_profile.h"
 #include "chromeos/dbus/system_proxy/system_proxy_client.h"
 #include "chromeos/dbus/system_proxy/system_proxy_service.pb.h"
+#include "components/arc/arc_prefs.h"
 #include "components/prefs/pref_service.h"
 #include "content/public/browser/network_service_instance.h"
 #include "content/public/browser/storage_partition.h"
@@ -84,9 +85,16 @@ class SystemProxyManagerTest : public testing::Test {
     testing::Test::SetUp();
     profile_ = std::make_unique<TestingProfile>();
     chromeos::SystemProxyClient::InitializeFake();
+    system_proxy_manager_ = std::make_unique<SystemProxyManager>(
+        chromeos::CrosSettings::Get(), local_state_.Get());
+    // Listen for pref changes for the primary profile.
+    system_proxy_manager_->StartObservingPrimaryProfilePrefs(profile_.get());
   }
 
-  void TearDown() override { chromeos::SystemProxyClient::Shutdown(); }
+  void TearDown() override {
+    system_proxy_manager_->StopObservingPrimaryProfilePrefs();
+    chromeos::SystemProxyClient::Shutdown();
+  }
 
  protected:
   void SetPolicy(bool system_proxy_enabled,
@@ -100,6 +108,7 @@ class SystemProxyManagerTest : public testing::Test {
                 base::Value(system_services_password));
     scoped_testing_cros_settings_.device_settings()->Set(
         chromeos::kSystemProxySettings, dict);
+    task_environment_.RunUntilIdle();
   }
 
   chromeos::SystemProxyClient::TestInterface* client_test_interface() {
@@ -108,8 +117,9 @@ class SystemProxyManagerTest : public testing::Test {
 
   content::BrowserTaskEnvironment task_environment_;
   ScopedTestingLocalState local_state_;
-  std::unique_ptr<TestingProfile> profile_;
   chromeos::ScopedTestingCrosSettings scoped_testing_cros_settings_;
+  std::unique_ptr<SystemProxyManager> system_proxy_manager_;
+  std::unique_ptr<TestingProfile> profile_;
   chromeos::ScopedDeviceSettingsTestHelper device_settings_test_helper_;
   chromeos::ScopedStubInstallAttributes test_install_attributes_;
 };
@@ -117,19 +127,15 @@ class SystemProxyManagerTest : public testing::Test {
 // Verifies that System-proxy is configured with the system traffic credentials
 // set by |kSystemProxySettings| policy.
 TEST_F(SystemProxyManagerTest, SetAuthenticationDetails) {
-  SystemProxyManager system_proxy_manager(chromeos::CrosSettings::Get(),
-                                          local_state_.Get());
   EXPECT_EQ(0, client_test_interface()->GetSetAuthenticationDetailsCallCount());
 
   SetPolicy(true /* system_proxy_enabled */, "" /* system_services_username */,
             "" /* system_services_password */);
-  task_environment_.RunUntilIdle();
   // Don't send empty credentials.
   EXPECT_EQ(1, client_test_interface()->GetSetAuthenticationDetailsCallCount());
 
   SetPolicy(true /* system_proxy_enabled */, kSystemServicesUsername,
             kSystemServicesPassword);
-  task_environment_.RunUntilIdle();
   EXPECT_EQ(2, client_test_interface()->GetSetAuthenticationDetailsCallCount());
 
   system_proxy::SetAuthenticationDetailsRequest request =
@@ -143,14 +149,10 @@ TEST_F(SystemProxyManagerTest, SetAuthenticationDetails) {
 // Verifies requests to shut down are sent to System-proxy according to the
 // |kSystemProxySettings| policy.
 TEST_F(SystemProxyManagerTest, ShutDownDaemon) {
-  SystemProxyManager system_proxy_manager(chromeos::CrosSettings::Get(),
-                                          local_state_.Get());
-
   EXPECT_EQ(0, client_test_interface()->GetShutDownCallCount());
 
   SetPolicy(false /* system_proxy_enabled */, "" /* system_services_username */,
             "" /* system_services_password */);
-  task_environment_.RunUntilIdle();
   // Don't send empty credentials.
   EXPECT_EQ(1, client_test_interface()->GetShutDownCallCount());
 }
@@ -158,18 +160,11 @@ TEST_F(SystemProxyManagerTest, ShutDownDaemon) {
 // Tests that |SystemProxyManager| sends the correct Kerberos details and
 // updates to System-proxy.
 TEST_F(SystemProxyManagerTest, KerberosConfig) {
-  SystemProxyManager system_proxy_manager(chromeos::CrosSettings::Get(),
-                                          local_state_.Get());
-
   SetPolicy(true /* system_proxy_enabled */, "" /* system_services_username */,
             "" /* system_services_password */);
-  task_environment_.RunUntilIdle();
   local_state_.Get()->SetBoolean(prefs::kKerberosEnabled, true);
   EXPECT_EQ(2, client_test_interface()->GetSetAuthenticationDetailsCallCount());
 
-  // Listen for pref changes for the primary profile.
-  system_proxy_manager.StartObservingPrimaryProfilePrefs(profile_.get());
-  EXPECT_EQ(3, client_test_interface()->GetSetAuthenticationDetailsCallCount());
   system_proxy::SetAuthenticationDetailsRequest request =
       client_test_interface()->GetLastAuthenticationDetailsRequest();
   EXPECT_FALSE(request.has_credentials());
@@ -178,7 +173,7 @@ TEST_F(SystemProxyManagerTest, KerberosConfig) {
   // Set an active principal name.
   profile_->GetPrefs()->SetString(prefs::kKerberosActivePrincipalName,
                                   kKerberosActivePrincipalName);
-  EXPECT_EQ(4, client_test_interface()->GetSetAuthenticationDetailsCallCount());
+  EXPECT_EQ(3, client_test_interface()->GetSetAuthenticationDetailsCallCount());
   request = client_test_interface()->GetLastAuthenticationDetailsRequest();
   EXPECT_EQ(kKerberosActivePrincipalName, request.active_principal_name());
 
@@ -192,16 +187,12 @@ TEST_F(SystemProxyManagerTest, KerberosConfig) {
   local_state_.Get()->SetBoolean(prefs::kKerberosEnabled, false);
   request = client_test_interface()->GetLastAuthenticationDetailsRequest();
   EXPECT_FALSE(request.kerberos_enabled());
-
-  system_proxy_manager.StopObservingPrimaryProfilePrefs();
 }
 
 // Tests that when no user is signed in, credential requests are resolved to a
 // D-Bus call which sends back to System-proxy empty credentials for the
 // specified protection space.
 TEST_F(SystemProxyManagerTest, UserCredentialsRequiredNoUser) {
-  SystemProxyManager system_proxy_manager(chromeos::CrosSettings::Get(),
-                                          local_state_.Get());
   SetPolicy(true /* system_proxy_enabled */, "" /* system_services_username */,
             "" /* system_services_password */);
 
@@ -233,11 +224,8 @@ TEST_F(SystemProxyManagerTest, UserCredentialsRequiredNoUser) {
 // Tests that credential requests are resolved to a  D-Bus call which sends back
 // to System-proxy credentials acquired from the NetworkService.
 TEST_F(SystemProxyManagerTest, UserCredentialsRequestedFromNetworkService) {
-  SystemProxyManager system_proxy_manager(chromeos::CrosSettings::Get(),
-                                          local_state_.Get());
   SetPolicy(true /* system_proxy_enabled */, "" /* system_services_username */,
             "" /* system_services_password */);
-  system_proxy_manager.StartObservingPrimaryProfilePrefs(profile_.get());
 
   // Setup the NetworkContext with credentials.
   std::unique_ptr<network::NetworkContext> network_context =
@@ -279,6 +267,59 @@ TEST_F(SystemProxyManagerTest, UserCredentialsRequestedFromNetworkService) {
   ASSERT_TRUE(request.has_credentials());
   EXPECT_EQ(kBrowserUsername, request.credentials().username());
   EXPECT_EQ(kBrowserPassword, request.credentials().password());
-  system_proxy_manager.StopObservingPrimaryProfilePrefs();
 }
+
+// Tests that |SystemProxyManager| sends requests to start and shut down the
+// worker which tunnels ARC++ traffic according to policy.
+TEST_F(SystemProxyManagerTest, EnableArcWorker) {
+  int expected_set_auth_details_call_count = 0;
+  SetPolicy(true /* system_proxy_enabled */, "" /* system_services_username */,
+            "" /* system_services_password */);
+
+  EXPECT_EQ(++expected_set_auth_details_call_count,
+            client_test_interface()->GetSetAuthenticationDetailsCallCount());
+
+  profile_->GetPrefs()->SetBoolean(arc::prefs::kArcEnabled, true);
+  task_environment_.RunUntilIdle();
+  EXPECT_EQ(++expected_set_auth_details_call_count,
+            client_test_interface()->GetSetAuthenticationDetailsCallCount());
+
+  profile_->GetPrefs()->SetBoolean(arc::prefs::kArcEnabled, false);
+  EXPECT_EQ(1, client_test_interface()->GetShutDownCallCount());
+}
+
+// Tests that the user preference used by ARC++ to point to the local proxy is
+// kept in sync.
+TEST_F(SystemProxyManagerTest, ArcWorkerAddressPrefSynced) {
+  const char kLocalProxyAddress[] = "local address";
+  SetPolicy(true /* system_proxy_enabled */, "" /* system_services_username */,
+            "" /* system_services_password */);
+
+  system_proxy::WorkerActiveSignalDetails details;
+  details.set_traffic_origin(system_proxy::TrafficOrigin::USER);
+  details.set_local_proxy_url(kLocalProxyAddress);
+  client_test_interface()->SendWorkerActiveSignal(details);
+  task_environment_.RunUntilIdle();
+  EXPECT_EQ(kLocalProxyAddress,
+            profile_->GetPrefs()->GetString(
+                ::prefs::kSystemProxyUserTrafficHostAndPort));
+
+  // The preference shouldn't be updated if the signal is send for system
+  // traffic.
+  details.set_traffic_origin(system_proxy::TrafficOrigin::SYSTEM);
+  details.set_local_proxy_url("other address");
+  client_test_interface()->SendWorkerActiveSignal(details);
+  task_environment_.RunUntilIdle();
+  EXPECT_EQ(kLocalProxyAddress,
+            profile_->GetPrefs()->GetString(
+                ::prefs::kSystemProxyUserTrafficHostAndPort));
+
+  SetPolicy(false /* system_proxy_enabled */, "" /* system_services_username */,
+            "" /* system_services_password */);
+
+  EXPECT_TRUE(profile_->GetPrefs()
+                  ->GetString(::prefs::kSystemProxyUserTrafficHostAndPort)
+                  .empty());
+}
+
 }  // namespace policy

chrome/browser/prefs/browser_prefs.cc

@@ -181,6 +181,7 @@
 #include "chrome/browser/chromeos/login/easy_unlock/easy_unlock_service.h"
 #include "chrome/browser/chromeos/login/existing_user_controller.h"
 #include "chrome/browser/chromeos/policy/system_features_disable_list_policy_handler.h"
+#include "chrome/browser/chromeos/policy/system_proxy_manager.h"
 #include "chrome/browser/chromeos/settings/stats_reporting_controller.h"
 #include "chrome/browser/component_updater/metadata_table_chromeos.h"
 #else
@@ -1095,6 +1096,7 @@ void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry,
   policy::ExtensionInstallEventLogManagerWrapper::RegisterProfilePrefs(
       registry);
   policy::StatusCollector::RegisterProfilePrefs(registry);
+  policy::SystemProxyManager::RegisterProfilePrefs(registry);
   RegisterChromeLauncherUserPrefs(registry);
   ::onc::RegisterProfilePrefs(registry);
   chromeos::cert_provisioning::RegisterProfilePrefs(registry);

chrome/common/pref_names.cc

@@ -1038,6 +1038,12 @@ const char kUpdateRequiredTimerStartTime[] = "update_required_timer_start_time";
 // required timer will expire and block user session. If the timer is not
 // started the pref holds the default value base::TimeDelta().
 const char kUpdateRequiredWarningPeriod[] = "update_required_warning_period";
+
+// String user profile pref that contains the host and port of the local
+// proxy which tunnels user traffic, in the format <address>:<proxy>. Only set
+// when System-proxy and ARC++ are enabled by policy.
+const char kSystemProxyUserTrafficHostAndPort[] =
+    "system_proxy.user_traffic_host_and_port";
 #endif  // defined(OS_CHROMEOS)
 
 // A boolean pref set to true if a Home button to open the Home pages should be

chrome/common/pref_names.h

@@ -337,6 +337,7 @@ extern const char kSettingsShowOSBanner[];
 extern const char kDeviceLoginScreenWebUsbAllowDevicesForUrls[];
 extern const char kUpdateRequiredTimerStartTime[];
 extern const char kUpdateRequiredWarningPeriod[];
+extern const char kSystemProxyUserTrafficHostAndPort[];
 #endif  // defined(OS_CHROMEOS)
 extern const char kShowHomeButton[];
 extern const char kSpeechRecognitionFilterProfanities[];

chromeos/dbus/system_proxy/fake_system_proxy_client.cc

@@ -85,4 +85,11 @@ void FakeSystemProxyClient::SendAuthenticationRequiredSignal(
       FROM_HERE, base::BindOnce(auth_required_callback_, details));
 }
 
+void FakeSystemProxyClient::SendWorkerActiveSignal(
+    const system_proxy::WorkerActiveSignalDetails& details) {
+  DCHECK(worker_active_callback_);
+  base::ThreadTaskRunnerHandle::Get()->PostTask(
+      FROM_HERE, base::BindOnce(worker_active_callback_, details));
+}
+
 }  // namespace chromeos

chromeos/dbus/system_proxy/fake_system_proxy_client.h

@@ -45,6 +45,8 @@ class COMPONENT_EXPORT(CHROMEOS_DBUS) FakeSystemProxyClient
   GetLastAuthenticationDetailsRequest() const override;
   void SendAuthenticationRequiredSignal(
       const system_proxy::AuthenticationRequiredDetails& details) override;
+  void SendWorkerActiveSignal(
+      const system_proxy::WorkerActiveSignalDetails& details) override;
 
  private:
   system_proxy::SetAuthenticationDetailsRequest last_set_auth_details_request_;

chromeos/dbus/system_proxy/system_proxy_client.h

@@ -52,6 +52,10 @@ class COMPONENT_EXPORT(SYSTEM_PROXY) SystemProxyClient {
     // |ConnectToWorkerSignals|.
     virtual void SendAuthenticationRequiredSignal(
         const system_proxy::AuthenticationRequiredDetails& details) = 0;
+    // Simulates the |WorkerActiveSignal| signal by calling the callback set
+    // by |SetWorkerActiveSignalCallback|.
+    virtual void SendWorkerActiveSignal(
+        const system_proxy::WorkerActiveSignalDetails& details) = 0;
 
    protected:
     virtual ~TestInterface() {}