Wire ManagedSessionEnabled policy through code

If the policy is set, remove restrictions that were put into place for public
sessions.

Bug: 865947
Change-Id: Ifdecf36916d9999ee2f90145dc69b7f46e18d0e1
Reviewed-on: https://chromium-review.googlesource.com/1160651
Commit-Queue: Ivan Šandrk <isandrk@chromium.org>
Reviewed-by: Kush Sinha <sinhak@chromium.org>
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Reviewed-by: Achuith Bhandarkar <achuith@chromium.org>
Cr-Commit-Position: refs/heads/master@{#582279}

chrome/browser/chromeos/extensions/extension_tab_util_delegate_chromeos.cc

@@ -22,7 +22,7 @@ void ExtensionTabUtilDelegateChromeOS::ScrubTabForExtension(
     const Extension* extension,
     content::WebContents* contents,
     api::tabs::Tab* tab) {
-  if (!profiles::IsPublicSession() || !tab->url ||
+  if (!profiles::ArePublicSessionRestrictionsEnabled() || !tab->url ||
       chromeos::DeviceLocalAccountManagementPolicyProvider::IsWhitelisted(
           extension->id())) {
     return;

chrome/browser/chromeos/extensions/permissions_updater_delegate_chromeos.cc

@@ -21,7 +21,7 @@ PermissionsUpdaterDelegateChromeOS::~PermissionsUpdaterDelegateChromeOS() {}
 void PermissionsUpdaterDelegateChromeOS::InitializePermissions(
     const Extension* extension,
     std::unique_ptr<const PermissionSet>* granted_permissions) {
-  if (!profiles::IsPublicSession() ||
+  if (!profiles::ArePublicSessionRestrictionsEnabled() ||
       chromeos::DeviceLocalAccountManagementPolicyProvider::IsWhitelisted(
           extension->id()) ||
       !(*granted_permissions)

chrome/browser/chromeos/extensions/public_session_permission_helper.cc

@@ -101,7 +101,7 @@ bool PublicSessionPermissionHelper::HandlePermissionRequestImpl(
     content::WebContents* web_contents,
     const RequestResolvedCallback& callback,
     const PromptFactory& prompt_factory) {
-  DCHECK(profiles::IsPublicSession());
+  DCHECK(profiles::ArePublicSessionRestrictionsEnabled());
   if (!PermissionCheckNeeded(&extension)) {
     if (!callback.is_null())
       callback.Run(requested_permissions);
@@ -172,7 +172,7 @@ bool PublicSessionPermissionHelper::HandlePermissionRequestImpl(
 bool PublicSessionPermissionHelper::PermissionAllowedImpl(
     const Extension* extension,
     APIPermission::ID permission) {
-  DCHECK(profiles::IsPublicSession());
+  DCHECK(profiles::ArePublicSessionRestrictionsEnabled());
   return !PermissionCheckNeeded(extension) ||
          allowed_permission_set_.ContainsID(permission);
 }

chrome/browser/chromeos/login/users/chrome_user_manager_util.cc

@@ -6,11 +6,17 @@
 
 #include "base/values.h"
 #include "chrome/browser/browser_process.h"
+#include "chrome/browser/browser_process_platform_part_chromeos.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
+#include "chrome/browser/chromeos/policy/device_local_account_policy_service.h"
 #include "chrome/browser/chromeos/policy/minimum_version_policy_handler.h"
 #include "chrome/browser/chromeos/settings/cros_settings.h"
 #include "chrome/browser/chromeos/settings/device_settings_provider.h"
 #include "chromeos/settings/cros_settings_names.h"
+#include "components/policy/core/common/cloud/cloud_policy_core.h"
+#include "components/policy/core/common/cloud/cloud_policy_store.h"
+#include "components/policy/core/common/policy_map.h"
+#include "components/policy/policy_constants.h"
 #include "components/prefs/pref_value_map.h"
 #include "components/user_manager/user_manager.h"
 #include "components/user_manager/user_names.h"
@@ -43,6 +49,26 @@ bool IsUserAllowedInner(const user_manager::User& user,
     return false;
   return true;
 }
+
+bool IsManagedSessionEnabled(const user_manager::User* active_user) {
+  policy::DeviceLocalAccountPolicyService* service =
+      g_browser_process->platform_part()
+          ->browser_policy_connector_chromeos()
+          ->GetDeviceLocalAccountPolicyService();
+
+  if (!service)
+    return false;
+
+  const policy::PolicyMap::Entry* entry =
+      service->GetBrokerForUser(active_user->GetAccountId().GetUserEmail())
+          ->core()
+          ->store()
+          ->policy_map()
+          .Get(policy::key::kDeviceLocalAccountManagedSessionEnabled);
+
+  return entry && entry->value && entry->value->GetBool();
+}
+
 }  // namespace
 
 bool GetPlatformKnownUserId(const std::string& user_email,
@@ -77,22 +103,26 @@ void UpdateLoginState(const user_manager::User* active_user,
                                 : chromeos::LoginState::LOGGED_IN_NONE;
 
   chromeos::LoginState::LoggedInUserType login_user_type;
-  if (logged_in_state == chromeos::LoginState::LOGGED_IN_NONE)
+  if (logged_in_state == chromeos::LoginState::LOGGED_IN_NONE) {
     login_user_type = chromeos::LoginState::LOGGED_IN_USER_NONE;
-  else if (is_current_user_owner)
+  } else if (is_current_user_owner) {
     login_user_type = chromeos::LoginState::LOGGED_IN_USER_OWNER;
-  else if (active_user->GetType() == user_manager::USER_TYPE_GUEST)
+  } else if (active_user->GetType() == user_manager::USER_TYPE_GUEST) {
     login_user_type = chromeos::LoginState::LOGGED_IN_USER_GUEST;
-  else if (active_user->GetType() == user_manager::USER_TYPE_PUBLIC_ACCOUNT)
-    login_user_type = chromeos::LoginState::LOGGED_IN_USER_PUBLIC_ACCOUNT;
-  else if (active_user->GetType() == user_manager::USER_TYPE_SUPERVISED)
+  } else if (active_user->GetType() == user_manager::USER_TYPE_PUBLIC_ACCOUNT) {
+    login_user_type =
+        IsManagedSessionEnabled(active_user)
+            ? chromeos::LoginState::LOGGED_IN_USER_PUBLIC_ACCOUNT_MANAGED
+            : chromeos::LoginState::LOGGED_IN_USER_PUBLIC_ACCOUNT;
+  } else if (active_user->GetType() == user_manager::USER_TYPE_SUPERVISED) {
     login_user_type = chromeos::LoginState::LOGGED_IN_USER_SUPERVISED;
-  else if (active_user->GetType() == user_manager::USER_TYPE_KIOSK_APP)
+  } else if (active_user->GetType() == user_manager::USER_TYPE_KIOSK_APP) {
     login_user_type = chromeos::LoginState::LOGGED_IN_USER_KIOSK_APP;
-  else if (active_user->GetType() == user_manager::USER_TYPE_ARC_KIOSK_APP)
+  } else if (active_user->GetType() == user_manager::USER_TYPE_ARC_KIOSK_APP) {
     login_user_type = chromeos::LoginState::LOGGED_IN_USER_ARC_KIOSK_APP;
-  else
+  } else {
     login_user_type = chromeos::LoginState::LOGGED_IN_USER_REGULAR;
+  }
 
   if (primary_user) {
     chromeos::LoginState::Get()->SetLoggedInStateAndPrimaryUser(

chrome/browser/extensions/api/page_capture/page_capture_api.cc

@@ -95,7 +95,7 @@ bool PageCaptureSaveAsMHTMLFunction::RunAsync() {
   // time, we show the user a dialog where they can choose whether to allow the
   // extension access to the API.
 #if defined(OS_CHROMEOS)
-  if (profiles::IsPublicSession()) {
+  if (profiles::ArePublicSessionRestrictionsEnabled()) {
     WebContents* web_contents = GetWebContents();
     if (!web_contents) {
       ReturnFailure(kTabClosedError);

chrome/browser/media/public_session_media_access_handler.cc

@@ -46,7 +46,8 @@ void PublicSessionMediaAccessHandler::HandleRequest(
     const extensions::Extension* extension) {
   // This class handles requests for Public Sessions only, outside of them just
   // pass the request through to the original class.
-  if (!profiles::IsPublicSession() || !extension->is_platform_app()) {
+  if (!profiles::ArePublicSessionRestrictionsEnabled() ||
+      !extension->is_platform_app()) {
     return extension_media_access_handler_.HandleRequest(
         web_contents, request, std::move(callback), extension);
   }

chrome/browser/media/public_session_tab_capture_access_handler.cc

@@ -45,7 +45,7 @@ void PublicSessionTabCaptureAccessHandler::HandleRequest(
     const extensions::Extension* extension) {
   // This class handles requests for Public Sessions only, outside of them just
   // pass the request through to the original class.
-  if (!profiles::IsPublicSession() || !extension ||
+  if (!profiles::ArePublicSessionRestrictionsEnabled() || !extension ||
       (request.audio_type != content::MEDIA_GUM_TAB_AUDIO_CAPTURE &&
        request.video_type != content::MEDIA_GUM_TAB_VIDEO_CAPTURE)) {
     return tab_capture_access_handler_.HandleRequest(

chrome/browser/profiles/profiles_state.cc

@@ -288,6 +288,15 @@ bool IsPublicSession() {
 #endif
   return false;
 }
+
+bool ArePublicSessionRestrictionsEnabled() {
+#if defined(OS_CHROMEOS)
+  if (chromeos::LoginState::IsInitialized()) {
+    return chromeos::LoginState::Get()->ArePublicSessionRestrictionsEnabled();
+  }
+#endif
+  return false;
+}
 #endif  // !defined(OS_ANDROID)
 
 }  // namespace profiles

chrome/browser/profiles/profiles_state.h

@@ -121,6 +121,9 @@ bool AreAllNonChildNonSupervisedProfilesLocked();
 
 // Returns whether a public session is being run currently.
 bool IsPublicSession();
+
+// Returns whether public session restrictions are enabled.
+bool ArePublicSessionRestrictionsEnabled();
 #endif  // !defined(OS_ANDROID)
 
 }  // namespace profiles

chrome/browser/ui/ash/network/enrollment_dialog_view.cc

@@ -279,6 +279,7 @@ bool EnrollmentDialogAllowed(Profile* profile) {
     case LoginState::LOGGED_IN_USER_GUEST:
       return true;
     case LoginState::LOGGED_IN_USER_PUBLIC_ACCOUNT:
+    case LoginState::LOGGED_IN_USER_PUBLIC_ACCOUNT_MANAGED:
       return false;
     case LoginState::LOGGED_IN_USER_SUPERVISED:
       return true;

chrome/browser/ui/views/apps/chrome_native_app_window_views_aura_ash_browsertest.cc

@@ -8,12 +8,12 @@
 #include "chrome/browser/apps/platform_apps/app_browsertest_util.h"
 #include "chrome/browser/ui/ash/tablet_mode_client.h"
 #include "chrome/browser/ui/views/apps/chrome_native_app_window_views_aura_ash.h"
+#include "chromeos/login/login_state.h"
+#include "chromeos/login/scoped_test_public_session_login_state.h"
 #include "extensions/browser/app_window/app_window.h"
 #include "ui/base/ui_base_types.h"
 #include "ui/wm/core/window_util.h"
 
-#include "chromeos/login/login_state.h"
-
 class ChromeNativeAppWindowViewsAuraAshBrowserTest
     : public extensions::PlatformAppBrowserTest {
  public:
@@ -152,9 +152,7 @@ IN_PROC_BROWSER_TEST_F(ChromeNativeAppWindowViewsAuraAshBrowserTest,
 // immersive in fullscreen.
 IN_PROC_BROWSER_TEST_F(ChromeNativeAppWindowViewsAuraAshBrowserTest,
                        PublicSessionImmersiveMode) {
-  chromeos::LoginState::Get()->SetLoggedInState(
-      chromeos::LoginState::LOGGED_IN_ACTIVE,
-      chromeos::LoginState::LOGGED_IN_USER_PUBLIC_ACCOUNT);
+  chromeos::ScopedTestPublicSessionLoginState login_state;
 
   extensions::AppWindow* app_window = CreateTestAppWindow("{}");
   auto* window = static_cast<ChromeNativeAppWindowViewsAuraAsh*>(

chromeos/login/login_state.cc

@@ -98,6 +98,11 @@ bool LoginState::IsGuestSessionUser() const {
 }
 
 bool LoginState::IsPublicSessionUser() const {
+  return logged_in_user_type_ == LOGGED_IN_USER_PUBLIC_ACCOUNT ||
+         logged_in_user_type_ == LOGGED_IN_USER_PUBLIC_ACCOUNT_MANAGED;
+}
+
+bool LoginState::ArePublicSessionRestrictionsEnabled() const {
   return logged_in_user_type_ == LOGGED_IN_USER_PUBLIC_ACCOUNT;
 }
 
@@ -108,7 +113,7 @@ bool LoginState::IsKioskApp() const {
 bool LoginState::UserHasNetworkProfile() const {
   if (!IsUserLoggedIn())
     return false;
-  return logged_in_user_type_ != LOGGED_IN_USER_PUBLIC_ACCOUNT;
+  return !IsPublicSessionUser();
 }
 
 bool LoginState::IsUserAuthenticated() const {

chromeos/login/login_state.h

@@ -26,6 +26,7 @@ class CHROMEOS_EXPORT LoginState {
     LOGGED_IN_USER_OWNER,           // The owner of the device is logged in
     LOGGED_IN_USER_GUEST,           // A guest is logged in (i.e. incognito)
     LOGGED_IN_USER_PUBLIC_ACCOUNT,  // A user is logged in to a public session.
+    LOGGED_IN_USER_PUBLIC_ACCOUNT_MANAGED,  // Public session v2.
     LOGGED_IN_USER_SUPERVISED,      // A supervised user is logged in
     LOGGED_IN_USER_KIOSK_APP,       // Is in kiosk app mode
     LOGGED_IN_USER_ARC_KIOSK_APP    // Is in ARC kiosk mode
@@ -78,6 +79,9 @@ class CHROMEOS_EXPORT LoginState {
   // Returns true if logged in to a public session.
   bool IsPublicSessionUser() const;
 
+  // Returns true if restrictions should be enabled for public session.
+  bool ArePublicSessionRestrictionsEnabled() const;
+
   // Returns true if logged in as a kiosk app.
   bool IsKioskApp() const;
 

chromeos/login/scoped_test_public_session_login_state.cc

@@ -4,8 +4,6 @@
 
 #include "chromeos/login/scoped_test_public_session_login_state.h"
 
-#include "chromeos/login/login_state.h"
-
 namespace chromeos {
 
 namespace {
@@ -14,7 +12,11 @@ bool g_instance_exists = false;
 
 }  // namespace
 
-ScopedTestPublicSessionLoginState::ScopedTestPublicSessionLoginState() {
+ScopedTestPublicSessionLoginState::ScopedTestPublicSessionLoginState(
+    LoginState::LoggedInUserType user_type) {
+  // Sanity check - allow only public session state.
+  CHECK(user_type == LoginState::LOGGED_IN_USER_PUBLIC_ACCOUNT ||
+        user_type == LoginState::LOGGED_IN_USER_PUBLIC_ACCOUNT_MANAGED);
   // Allow only one instance of this class.
   CHECK(!g_instance_exists);
   g_instance_exists = true;
@@ -24,9 +26,7 @@ ScopedTestPublicSessionLoginState::ScopedTestPublicSessionLoginState() {
     LoginState::Initialize();
     needs_shutdown_ = true;
   }
-  LoginState::Get()->SetLoggedInState(
-      LoginState::LOGGED_IN_ACTIVE,
-      LoginState::LOGGED_IN_USER_PUBLIC_ACCOUNT);
+  LoginState::Get()->SetLoggedInState(LoginState::LOGGED_IN_ACTIVE, user_type);
 }
 
 ScopedTestPublicSessionLoginState::~ScopedTestPublicSessionLoginState() {

chromeos/login/scoped_test_public_session_login_state.h

@@ -6,6 +6,7 @@
 #define CHROMEOS_LOGIN_SCOPED_TEST_PUBLIC_SESSION_LOGIN_STATE_H_
 
 #include "base/macros.h"
+#include "chromeos/login/login_state.h"
 
 namespace chromeos {
 
@@ -14,7 +15,9 @@ namespace chromeos {
 // (so it nicely cleans up after going out of scope).
 class ScopedTestPublicSessionLoginState {
  public:
-  ScopedTestPublicSessionLoginState();
+  ScopedTestPublicSessionLoginState(
+      LoginState::LoggedInUserType user_type =
+          LoginState::LOGGED_IN_USER_PUBLIC_ACCOUNT);
   ~ScopedTestPublicSessionLoginState();
 
  private:

extensions/browser/api/web_request/web_request_api.cc

@@ -370,11 +370,11 @@ bool ShouldHideEvent(void* browser_context,
           WebRequestPermissions::HideRequest(extension_info_map, request));
 }
 
-// Returns true if we're in a Public Session.
-bool IsPublicSession() {
+// Returns true if we're in a Public Session and restrictions are enabled.
+bool ArePublicSessionRestrictionsEnabled() {
 #if defined(OS_CHROMEOS)
   if (chromeos::LoginState::IsInitialized()) {
-    return chromeos::LoginState::Get()->IsPublicSessionUser();
+    return chromeos::LoginState::Get()->ArePublicSessionRestrictionsEnabled();
   }
 #endif
   return false;
@@ -1400,7 +1400,7 @@ void ExtensionWebRequestEventRouter::DispatchEventToListeners(
     // which are force-installed by policy. Whitelisted extensions are exempt
     // from this filtering.
     WebRequestEventDetails* custom_event_details = event_details.get();
-    if (IsPublicSession() &&
+    if (ArePublicSessionRestrictionsEnabled() &&
         !extensions::IsWhitelistedForPublicSession(listener->id.extension_id)) {
       if (!event_details_filtered_copy) {
         event_details_filtered_copy =
@@ -2346,9 +2346,9 @@ WebRequestInternalAddEventListenerFunction::Run() {
     // http://www.example.com/bar/*.
     // For this reason we do only a coarse check here to warn the extension
     // developer if they do something obviously wrong.
-    // When we are in a Public Session, allow all URLs for webRequests initiated
-    // by a regular extension.
-    if (!(IsPublicSession() && extension->is_extension()) &&
+    // When restrictions are enabled in Public Session, allow all URLs for
+    // webRequests initiated by a regular extension.
+    if (!(ArePublicSessionRestrictionsEnabled() && extension->is_extension()) &&
         extension->permissions_data()
             ->GetEffectiveHostPermissions()
             .is_empty() &&
@@ -2413,9 +2413,9 @@ WebRequestInternalEventHandledFunction::Run() {
           extension_id_safe(), install_time));
     }
 
-    // In Public Session we only want to allow "cancel" (except for whitelisted
-    // extensions which have no such restrictions).
-    if (IsPublicSession() &&
+    // In Public Session we restrict everything but "cancel" (except for
+    // whitelisted extensions which have no such restrictions).
+    if (ArePublicSessionRestrictionsEnabled() &&
         !extensions::IsWhitelistedForPublicSession(extension_id_safe()) &&
         (value->HasKey("redirectUrl") ||
          value->HasKey(keys::kAuthCredentialsKey) ||

extensions/browser/api/web_request/web_request_permissions.cc

@@ -8,7 +8,6 @@
 #include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
-#include "chromeos/login/login_state.h"
 #include "content/public/browser/child_process_security_policy.h"
 #include "content/public/browser/resource_request_info.h"
 #include "extensions/browser/api/extensions_api_client.h"
@@ -114,11 +113,12 @@ PermissionsData::PageAccess CanExtensionAccessURLInternal(
       extension->permissions_data()->IsPolicyBlockedHost(initiator->GetURL()))
     return PermissionsData::PageAccess::kDenied;
 
-// When we are in a Public Session, allow all URLs for webRequests initiated
-// by a regular extension (but don't allow chrome:// URLs).
+// When restrictions are enabled in Public Session, allow all URLs for
+// webRequests initiated by a regular extension (but don't allow chrome://
+// URLs).
 #if defined(OS_CHROMEOS)
   if (chromeos::LoginState::IsInitialized() &&
-      chromeos::LoginState::Get()->IsPublicSessionUser() &&
+      chromeos::LoginState::Get()->ArePublicSessionRestrictionsEnabled() &&
       extension->is_extension() && !url.SchemeIs("chrome")) {
     // Make sure that the extension is truly installed by policy (the assumption
     // in Public Session is that all extensions are installed by policy).