[Safe Browsing] Remove signin/sync deps from PolicyEngine

This CL abstracts RealTimePolicyEngine's dependence on signin and sync
for determining whether safe browsing access token fetches are
supported, instead having it take in a callback supplied by its client.
We place the abstracted functionality in
//components/safe_browsing/core/browser/sync along with adjusted
versions of its unittests.

The purpose of this abstraction is to enable this code to be reused by
WebLayer, which does not use signin or sync. This CL binds the callback
in RealTimeURLLookupService, but a followup will do the binding in the
embedder of the SafeBrowsing component.

Bug: 1080748
Change-Id: I7bf0d3d15eae173b107f95cdc1616e08e0f69eae
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2616352Reviewed-by: Xinghui Lu <xinghuilu@chromium.org>
Commit-Queue: Colin Blundell <blundell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#842433}

components/safe_browsing/core/browser/sync/BUILD.gn

@@ -8,6 +8,8 @@ source_set("sync") {
   sources = [
     "safe_browsing_primary_account_token_fetcher.cc",
     "safe_browsing_primary_account_token_fetcher.h",
+    "sync_utils.cc",
+    "sync_utils.h",
   ]
 
   deps = [
@@ -15,19 +17,24 @@ source_set("sync") {
     "//components/safe_browsing/core/browser:token_fetcher",
     "//components/safe_browsing/core/common:thread_utils",
     "//components/signin/public/identity_manager",
+    "//components/sync/driver",
     "//google_apis",
   ]
 }
 
 source_set("unittests") {
   testonly = true
-  sources = [ "safe_browsing_primary_account_token_fetcher_unittest.cc" ]
+  sources = [
+    "safe_browsing_primary_account_token_fetcher_unittest.cc",
+    "sync_utils_unittest.cc",
+  ]
 
   deps = [
     ":sync",
     "//base/test:test_support",
     "//components/safe_browsing/core/common:test_support",
     "//components/signin/public/identity_manager:test_support",
+    "//components/sync/driver:test_support",
     "//testing/gtest",
   ]
 }

components/safe_browsing/core/browser/sync/sync_utils.cc

+// Copyright 2021 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/safe_browsing/core/browser/sync/sync_utils.h"
+
+#include "components/signin/public/identity_manager/account_info.h"
+#include "components/signin/public/identity_manager/consent_level.h"
+#include "components/signin/public/identity_manager/identity_manager.h"
+#include "components/sync/base/user_selectable_type.h"
+#include "components/sync/driver/sync_service.h"
+#include "components/sync/driver/sync_service_utils.h"
+#include "components/sync/driver/sync_user_settings.h"
+
+namespace safe_browsing {
+
+// static
+bool SyncUtils::IsPrimaryAccountSignedIn(
+    signin::IdentityManager* identity_manager) {
+  CoreAccountInfo primary_account_info =
+      identity_manager->GetPrimaryAccountInfo(
+          signin::ConsentLevel::kNotRequired);
+  return !primary_account_info.account_id.empty();
+}
+
+// static
+bool SyncUtils::AreSigninAndSyncSetUpForSafeBrowsingTokenFetches(
+    syncer::SyncService* sync_service,
+    signin::IdentityManager* identity_manager,
+    bool user_has_enabled_enhanced_protection) {
+  // If the user has explicitly enabled enhanced protection and the primary
+  // account is available, no further conditions are needed.
+  if (user_has_enabled_enhanced_protection &&
+      IsPrimaryAccountSignedIn(identity_manager)) {
+    return true;
+  }
+
+  // Otherwise, check the status of sync: Safe browsing token fetches are
+  // enabled when the user is syncing their browsing history without a custom
+  // passphrase.
+  // NOTE: |sync_service| can be null in Incognito, and can also be set to null
+  // by a cmdline param.
+  return sync_service &&
+         (syncer::GetUploadToGoogleState(
+              sync_service, syncer::ModelType::HISTORY_DELETE_DIRECTIVES) ==
+          syncer::UploadState::ACTIVE) &&
+         !sync_service->GetUserSettings()->IsUsingSecondaryPassphrase();
+}
+
+}  // namespace safe_browsing

components/safe_browsing/core/browser/sync/sync_utils.h

+// Copyright 2021 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_SAFE_BROWSING_CORE_BROWSER_SYNC_SYNC_UTILS_H_
+#define COMPONENTS_SAFE_BROWSING_CORE_BROWSER_SYNC_SYNC_UTILS_H_
+
+namespace syncer {
+class SyncService;
+}
+
+namespace signin {
+class IdentityManager;
+}
+
+namespace safe_browsing {
+
+// This class implements sync and signin-related safe browsing utilities.
+class SyncUtils {
+ public:
+  SyncUtils() = delete;
+  ~SyncUtils() = delete;
+
+  // Returns true if signin and sync are configured such that access token
+  // fetches for safe browsing can be enabled.
+  static bool AreSigninAndSyncSetUpForSafeBrowsingTokenFetches(
+      syncer::SyncService* sync_service,
+      signin::IdentityManager* identity_manager,
+      bool user_has_enabled_enhanced_protection);
+
+ private:
+  // Whether the primary account is signed in. Sync is not required.
+  static bool IsPrimaryAccountSignedIn(
+      signin::IdentityManager* identity_manager);
+};  // class SyncUtils
+
+}  // namespace safe_browsing
+
+#endif  // COMPONENTS_SAFE_BROWSING_CORE_BROWSER_SYNC_SYNC_UTILS_H_

components/safe_browsing/core/browser/sync/sync_utils_unittest.cc

+// Copyright 2021 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/safe_browsing/core/browser/sync/sync_utils.h"
+
+#include "components/safe_browsing/core/common/test_task_environment.h"
+#include "components/signin/public/identity_manager/identity_test_environment.h"
+#include "components/sync/driver/test_sync_service.h"
+#include "testing/platform_test.h"
+
+namespace safe_browsing {
+
+class SyncUtilsTest : public PlatformTest {
+ public:
+  SyncUtilsTest() : task_environment_(CreateTestTaskEnvironment()) {}
+
+  std::unique_ptr<base::test::TaskEnvironment> task_environment_;
+};
+
+TEST_F(SyncUtilsTest, AreSigninAndSyncSetUpForSafeBrowsingTokenFetches_Sync) {
+  std::unique_ptr<signin::IdentityTestEnvironment> identity_test_env =
+      std::make_unique<signin::IdentityTestEnvironment>();
+  signin::IdentityManager* identity_manager =
+      identity_test_env->identity_manager();
+  syncer::TestSyncService sync_service;
+
+  // For the purposes of this test, IdentityManager has no primary account.
+
+  // Sync is disabled.
+  sync_service.SetDisableReasons(
+      {syncer::SyncService::DISABLE_REASON_USER_CHOICE});
+  sync_service.SetTransportState(syncer::SyncService::TransportState::DISABLED);
+  EXPECT_FALSE(SyncUtils::AreSigninAndSyncSetUpForSafeBrowsingTokenFetches(
+      &sync_service, identity_manager,
+      /* user_has_enabled_enhanced_protection=*/true));
+  EXPECT_FALSE(SyncUtils::AreSigninAndSyncSetUpForSafeBrowsingTokenFetches(
+      &sync_service, identity_manager,
+      /* user_has_enabled_enhanced_protection=*/false));
+
+  // Sync is enabled.
+  sync_service.SetDisableReasons({});
+  sync_service.SetTransportState(syncer::SyncService::TransportState::ACTIVE);
+  EXPECT_TRUE(SyncUtils::AreSigninAndSyncSetUpForSafeBrowsingTokenFetches(
+      &sync_service, identity_manager,
+      /* user_has_enabled_enhanced_protection=*/true));
+  EXPECT_TRUE(SyncUtils::AreSigninAndSyncSetUpForSafeBrowsingTokenFetches(
+      &sync_service, identity_manager,
+      /* user_has_enabled_enhanced_protection=*/false));
+
+  // History sync is disabled.
+  sync_service.GetUserSettings()->SetSelectedTypes(
+      /* sync_everything */ false, {});
+  EXPECT_FALSE(SyncUtils::AreSigninAndSyncSetUpForSafeBrowsingTokenFetches(
+      &sync_service, identity_manager,
+      /* user_has_enabled_enhanced_protection=*/true));
+  EXPECT_FALSE(SyncUtils::AreSigninAndSyncSetUpForSafeBrowsingTokenFetches(
+      &sync_service, identity_manager,
+      /* user_has_enabled_enhanced_protection=*/false));
+
+  // Custom passphrase is enabled.
+  sync_service.GetUserSettings()->SetSelectedTypes(
+      false, {syncer::UserSelectableType::kHistory});
+  sync_service.SetIsUsingSecondaryPassphrase(true);
+  EXPECT_FALSE(SyncUtils::AreSigninAndSyncSetUpForSafeBrowsingTokenFetches(
+      &sync_service, identity_manager,
+      /* user_has_enabled_enhanced_protection=*/true));
+  EXPECT_FALSE(SyncUtils::AreSigninAndSyncSetUpForSafeBrowsingTokenFetches(
+      &sync_service, identity_manager,
+      /* user_has_enabled_enhanced_protection=*/false));
+}
+
+TEST_F(SyncUtilsTest,
+       AreSigninAndSyncSetUpForSafeBrowsingTokenFetches_IdentityManager) {
+  std::unique_ptr<signin::IdentityTestEnvironment> identity_test_env =
+      std::make_unique<signin::IdentityTestEnvironment>();
+  signin::IdentityManager* identity_manager =
+      identity_test_env->identity_manager();
+  syncer::TestSyncService sync_service;
+
+  // For the purposes of this test, disable sync.
+  sync_service.SetDisableReasons(
+      {syncer::SyncService::DISABLE_REASON_USER_CHOICE});
+  sync_service.SetTransportState(syncer::SyncService::TransportState::DISABLED);
+  sync_service.GetUserSettings()->SetSelectedTypes(
+      /* sync_everything */ false, {});
+
+  // If the user is not signed in, it should not be
+  // possible to perform URL lookups with tokens.
+  EXPECT_FALSE(SyncUtils::AreSigninAndSyncSetUpForSafeBrowsingTokenFetches(
+      &sync_service, identity_manager,
+      /* user_has_enabled_enhanced_protection=*/true));
+  EXPECT_FALSE(SyncUtils::AreSigninAndSyncSetUpForSafeBrowsingTokenFetches(
+      &sync_service, identity_manager,
+      /* user_has_enabled_enhanced_protection=*/false));
+
+  // Enhanced protection is on and the user is signed in: it should be possible
+  // to perform URL lookups with tokens (even though the
+  // kRealTimeLookupEnabledWithToken feature and sync/history sync are
+  // disabled).
+  identity_test_env->MakeUnconsentedPrimaryAccountAvailable("test@example.com");
+  EXPECT_TRUE(SyncUtils::AreSigninAndSyncSetUpForSafeBrowsingTokenFetches(
+      &sync_service, identity_manager,
+      /* user_has_enabled_enhanced_protection=*/true));
+
+  // Enhanced protection is *off* and the user is signed in: it should not be
+  // possible to perform URL lookups with tokens without sync being enabled.
+  EXPECT_FALSE(SyncUtils::AreSigninAndSyncSetUpForSafeBrowsingTokenFetches(
+      &sync_service, identity_manager,
+      /* user_has_enabled_enhanced_protection=*/false));
+}
+
+}  // namespace safe_browsing

components/safe_browsing/core/realtime/BUILD.gn

@@ -15,8 +15,6 @@ static_library("policy_engine") {
     "//components/safe_browsing/core:realtimeapi_proto",
     "//components/safe_browsing/core/common",
     "//components/safe_browsing/core/common:safe_browsing_prefs",
-    "//components/signin/public/identity_manager",
-    "//components/sync",
     "//components/unified_consent",
     "//components/user_prefs",
     "//components/variations/service",

components/safe_browsing/core/realtime/policy_engine.cc

@@ -12,13 +12,6 @@
 #include "components/safe_browsing/core/common/safe_browsing_prefs.h"
 #include "components/safe_browsing/core/common/safebrowsing_constants.h"
 #include "components/safe_browsing/core/features.h"
-#include "components/signin/public/identity_manager/account_info.h"
-#include "components/signin/public/identity_manager/consent_level.h"
-#include "components/signin/public/identity_manager/identity_manager.h"
-#include "components/sync/base/user_selectable_type.h"
-#include "components/sync/driver/sync_service.h"
-#include "components/sync/driver/sync_service_utils.h"
-#include "components/sync/driver/sync_user_settings.h"
 #include "components/unified_consent/pref_names.h"
 #include "components/user_prefs/user_prefs.h"
 #include "components/variations/service/variations_service.h"
@@ -52,15 +45,6 @@ bool RealTimePolicyEngine::IsUserEpOptedIn(PrefService* pref_service) {
   return IsEnhancedProtectionEnabled(*pref_service);
 }
 
-// static
-bool RealTimePolicyEngine::IsPrimaryAccountSignedIn(
-    signin::IdentityManager* identity_manager) {
-  CoreAccountInfo primary_account_info =
-      identity_manager->GetPrimaryAccountInfo(
-          signin::ConsentLevel::kNotRequired);
-  return !primary_account_info.account_id.empty();
-}
-
 // static
 bool RealTimePolicyEngine::CanPerformFullURLLookup(
     PrefService* pref_service,
@@ -84,8 +68,7 @@ bool RealTimePolicyEngine::CanPerformFullURLLookup(
 bool RealTimePolicyEngine::CanPerformFullURLLookupWithToken(
     PrefService* pref_service,
     bool is_off_the_record,
-    syncer::SyncService* sync_service,
-    signin::IdentityManager* identity_manager,
+    ClientConfiguredForTokenFetchesCallback client_callback,
     variations::VariationsService* variations_service) {
   if (!CanPerformFullURLLookup(pref_service, is_off_the_record,
                                variations_service)) {
@@ -100,23 +83,7 @@ bool RealTimePolicyEngine::CanPerformFullURLLookupWithToken(
     return false;
   }
 
-  // If the user has explicitly enabled enhanced protection and the primary
-  // account is available, no further conditions are needed.
-  if (IsUserEpOptedIn(pref_service) &&
-      IsPrimaryAccountSignedIn(identity_manager)) {
-    return true;
-  }
-
-  // Otherwise, check the status of sync: Safe browsing token fetches are
-  // enabled when the user is syncing their browsing history without a custom
-  // passphrase.
-  // NOTE: |sync_service| can be null in Incognito, and can also be set to null
-  // by a cmdline param.
-  return sync_service &&
-         (syncer::GetUploadToGoogleState(
-              sync_service, syncer::ModelType::HISTORY_DELETE_DIRECTIVES) ==
-          syncer::UploadState::ACTIVE) &&
-         !sync_service->GetUserSettings()->IsUsingSecondaryPassphrase();
+  return std::move(client_callback).Run(IsUserEpOptedIn(pref_service));
 }
 
 // static

components/safe_browsing/core/realtime/policy_engine.h

@@ -7,18 +7,11 @@
 
 #include <string>
 
+#include "base/callback.h"
 #include "build/build_config.h"
 
 class PrefService;
 
-namespace syncer {
-class SyncService;
-}
-
-namespace signin {
-class IdentityManager;
-}
-
 namespace variations {
 class VariationsService;
 }
@@ -37,6 +30,12 @@ class RealTimePolicyEngine {
   RealTimePolicyEngine() = delete;
   ~RealTimePolicyEngine() = delete;
 
+  // A callback via which the client of this component indicates whether they
+  // are configured to support token fetches. Used as part of
+  // CanPerformFullURLLookupWithToken().
+  using ClientConfiguredForTokenFetchesCallback =
+      base::OnceCallback<bool(bool user_has_enabled_enhanced_protection)>;
+
   // Return true if full URL lookups are enabled for |resource_type|. If
   // |can_rt_check_subresource_url| is set to false, return true only if
   // |resource_type| is |kMainFrame|.
@@ -57,8 +56,7 @@ class RealTimePolicyEngine {
   static bool CanPerformFullURLLookupWithToken(
       PrefService* pref_service,
       bool is_off_the_record,
-      syncer::SyncService* sync_service,
-      signin::IdentityManager* identity_manager,
+      ClientConfiguredForTokenFetchesCallback client_callback,
       variations::VariationsService* variations_service);
 
   static bool CanPerformEnterpriseFullURLLookup(const PrefService* pref_service,
@@ -79,10 +77,6 @@ class RealTimePolicyEngine {
   // Whether the user has opted-in to Enhanced Protection.
   static bool IsUserEpOptedIn(PrefService* pref_service);
 
-  // Whether the primary account is signed in. Sync is not required.
-  static bool IsPrimaryAccountSignedIn(
-      signin::IdentityManager* identity_manager);
-
   friend class RealTimePolicyEngineTest;
 };  // class RealTimePolicyEngine
 

components/safe_browsing/core/realtime/policy_engine_unittest.cc

@@ -10,8 +10,6 @@
 #include "components/safe_browsing/core/common/safebrowsing_constants.h"
 #include "components/safe_browsing/core/common/test_task_environment.h"
 #include "components/safe_browsing/core/features.h"
-#include "components/signin/public/identity_manager/identity_test_environment.h"
-#include "components/sync/driver/test_sync_service.h"
 #include "components/sync_preferences/testing_pref_service_syncable.h"
 #include "components/unified_consent/pref_names.h"
 #include "components/unified_consent/unified_consent_service.h"
@@ -20,6 +18,15 @@
 
 namespace safe_browsing {
 
+// Used in tests of CanPerformFullURLLookupWithToken().
+bool AreTokenFetchesEnabledInClient(bool expected_ep_enabled_value,
+                                    bool return_value,
+                                    bool user_has_enabled_enhanced_protection) {
+  EXPECT_EQ(expected_ep_enabled_value, user_has_enabled_enhanced_protection);
+
+  return return_value;
+}
+
 class RealTimePolicyEngineTest : public PlatformTest {
  public:
   RealTimePolicyEngineTest() : task_environment_(CreateTestTaskEnvironment()) {}
@@ -41,10 +48,10 @@ class RealTimePolicyEngineTest : public PlatformTest {
 
   bool CanPerformFullURLLookupWithToken(
       bool is_off_the_record,
-      syncer::SyncService* sync_service,
-      signin::IdentityManager* identity_manager) {
+      RealTimePolicyEngine::ClientConfiguredForTokenFetchesCallback
+          client_callback) {
     return RealTimePolicyEngine::CanPerformFullURLLookupWithToken(
-        &pref_service_, is_off_the_record, sync_service, identity_manager,
+        &pref_service_, is_off_the_record, std::move(client_callback),
         /*variations_service=*/nullptr);
   }
 
@@ -106,26 +113,22 @@ TEST_F(RealTimePolicyEngineTest,
 
 TEST_F(RealTimePolicyEngineTest,
        TestCanPerformFullURLLookup_RTLookupForEpEnabled_WithTokenDisabled) {
-  std::unique_ptr<signin::IdentityTestEnvironment> identity_test_env =
-      std::make_unique<signin::IdentityTestEnvironment>();
-  signin::IdentityManager* identity_manager =
-      identity_test_env->identity_manager();
-  syncer::TestSyncService sync_service;
-  // User is signed in.
-  identity_test_env->MakeUnconsentedPrimaryAccountAvailable("test@example.com");
-
   pref_service_.SetBoolean(prefs::kSafeBrowsingEnhanced, true);
   {
     base::test::ScopedFeatureList feature_list;
     feature_list.InitAndEnableFeature(kEnhancedProtection);
     EXPECT_TRUE(CanPerformFullURLLookup(/* is_off_the_record */ false));
     EXPECT_TRUE(CanPerformFullURLLookupWithToken(
-        /* is_off_the_record */ false, &sync_service, identity_manager));
+        /* is_off_the_record */ false,
+        base::BindOnce(&AreTokenFetchesEnabledInClient,
+                       /*expected_ep_enabled_value=*/true,
+                       /*return_value=*/true)));
   }
 }
 
-TEST_F(RealTimePolicyEngineTest,
-       TestCanPerformFullURLLookupWithToken_SyncControlled) {
+TEST_F(
+    RealTimePolicyEngineTest,
+    TestCanPerformFullURLLookupWithToken_ClientControlledWithoutEnhancedProtection) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       /* enabled_features */ {kRealTimeUrlLookupEnabled,
@@ -134,71 +137,57 @@ TEST_F(RealTimePolicyEngineTest,
   pref_service_.SetUserPref(
       unified_consent::prefs::kUrlKeyedAnonymizedDataCollectionEnabled,
       std::make_unique<base::Value>(true));
-  std::unique_ptr<signin::IdentityTestEnvironment> identity_test_env =
-      std::make_unique<signin::IdentityTestEnvironment>();
-  signin::IdentityManager* identity_manager =
-      identity_test_env->identity_manager();
-  syncer::TestSyncService sync_service;
 
-  // Sync is disabled.
-  sync_service.SetDisableReasons(
-      {syncer::SyncService::DISABLE_REASON_USER_CHOICE});
-  sync_service.SetTransportState(syncer::SyncService::TransportState::DISABLED);
+  // Token fetches are not configured in the client.
   EXPECT_FALSE(CanPerformFullURLLookupWithToken(
-      /* is_off_the_record */ false, &sync_service, identity_manager));
+      /* is_off_the_record */ false,
+      base::BindOnce(&AreTokenFetchesEnabledInClient,
+                     /*expected_ep_enabled_value=*/false,
+                     /*return_value=*/false)));
 
-  // Sync is enabled.
-  sync_service.SetDisableReasons({});
-  sync_service.SetTransportState(syncer::SyncService::TransportState::ACTIVE);
+  // Token fetches are configured in the client.
   EXPECT_TRUE(CanPerformFullURLLookupWithToken(
-      /* is_off_the_record */ false, &sync_service, identity_manager));
-
-  // History sync is disabled.
-  sync_service.GetUserSettings()->SetSelectedTypes(
-      /* sync_everything */ false, {});
-  EXPECT_FALSE(CanPerformFullURLLookupWithToken(
-      /* is_off_the_record */ false, &sync_service, identity_manager));
-
-  // Custom passphrase is enabled.
-  sync_service.GetUserSettings()->SetSelectedTypes(
-      false, {syncer::UserSelectableType::kHistory});
-  sync_service.SetIsUsingSecondaryPassphrase(true);
-  EXPECT_FALSE(CanPerformFullURLLookupWithToken(
-      /* is_off_the_record */ false, &sync_service, identity_manager));
+      /* is_off_the_record */ false,
+      base::BindOnce(&AreTokenFetchesEnabledInClient,
+                     /*expected_ep_enabled_value=*/false,
+                     /*return_value=*/true)));
 }
 
-TEST_F(RealTimePolicyEngineTest,
-       TestCanPerformFullURLLookupWithToken_EnhancedProtection) {
+TEST_F(
+    RealTimePolicyEngineTest,
+    TestCanPerformFullURLLookupWithToken_ClientControlledWithEnhancedProtection) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       /* enabled_features */ {kEnhancedProtection},
       /* disabled_features */ {kRealTimeUrlLookupEnabledWithToken});
-  std::unique_ptr<signin::IdentityTestEnvironment> identity_test_env =
-      std::make_unique<signin::IdentityTestEnvironment>();
-  signin::IdentityManager* identity_manager =
-      identity_test_env->identity_manager();
-  syncer::TestSyncService sync_service;
 
-  // For the purposes of this test, disable sync.
-  sync_service.SetDisableReasons(
-      {syncer::SyncService::DISABLE_REASON_USER_CHOICE});
-  sync_service.SetTransportState(syncer::SyncService::TransportState::DISABLED);
-  sync_service.GetUserSettings()->SetSelectedTypes(
-      /* sync_everything */ false, {});
+  // Enhanced protection is not enabled and the Finch feature is disabled: token
+  // fetches should be disallowed whether or not they are configured in the
+  // client.
+  EXPECT_FALSE(CanPerformFullURLLookupWithToken(
+      /* is_off_the_record */ false,
+      base::BindOnce(&AreTokenFetchesEnabledInClient,
+                     /*expected_ep_enabled_value=*/false,
+                     /*return_value=*/false)));
+  EXPECT_FALSE(CanPerformFullURLLookupWithToken(
+      /* is_off_the_record */ false,
+      base::BindOnce(&AreTokenFetchesEnabledInClient,
+                     /*expected_ep_enabled_value=*/false,
+                     /*return_value=*/true)));
 
-  // Enhanced protection is on but the user is not signed in: it should not be
-  // possible to perform URL lookups with tokens.
+  // With enhanced protection enabled, whether token fetches are allowed should
+  // be dependent on the configuration of the client
   pref_service_.SetBoolean(prefs::kSafeBrowsingEnhanced, true);
   EXPECT_FALSE(CanPerformFullURLLookupWithToken(
-      /* is_off_the_record */ false, &sync_service, identity_manager));
-
-  // Enhanced protection is on and the user is signed in: it should be possible
-  // to perform URL lookups with tokens (even though the
-  // kRealTimeLookupEnabledWithToken feature and sync/history sync are
-  // disabled).
-  identity_test_env->MakeUnconsentedPrimaryAccountAvailable("test@example.com");
+      /* is_off_the_record */ false,
+      base::BindOnce(&AreTokenFetchesEnabledInClient,
+                     /*expected_ep_enabled_value=*/true,
+                     /*return_value=*/false)));
   EXPECT_TRUE(CanPerformFullURLLookupWithToken(
-      /* is_off_the_record */ false, &sync_service, identity_manager));
+      /* is_off_the_record */ false,
+      base::BindOnce(&AreTokenFetchesEnabledInClient,
+                     /*expected_ep_enabled_value=*/true,
+                     /*return_value=*/true)));
 }
 
 TEST_F(RealTimePolicyEngineTest, TestCanPerformEnterpriseFullURLLookup) {

components/safe_browsing/core/realtime/url_lookup_service.cc

@@ -14,6 +14,7 @@
 #include "components/prefs/pref_service.h"
 #include "components/safe_browsing/buildflags.h"
 #include "components/safe_browsing/core/browser/sync/safe_browsing_primary_account_token_fetcher.h"
+#include "components/safe_browsing/core/browser/sync/sync_utils.h"
 #include "components/safe_browsing/core/common/safe_browsing_prefs.h"
 #include "components/safe_browsing/core/common/thread_utils.h"
 #include "components/safe_browsing/core/db/v4_protocol_manager_util.h"
@@ -92,7 +93,10 @@ bool RealTimeUrlLookupService::CanPerformFullURLLookup() const {
 
 bool RealTimeUrlLookupService::CanPerformFullURLLookupWithToken() const {
   return RealTimePolicyEngine::CanPerformFullURLLookupWithToken(
-      pref_service_, is_off_the_record_, sync_service_, identity_manager_,
+      pref_service_, is_off_the_record_,
+      base::BindOnce(
+          &SyncUtils::AreSigninAndSyncSetUpForSafeBrowsingTokenFetches,
+          sync_service_, identity_manager_),
       variations_);
 }