Use mapped pref for BuiltinCertificateVerifierEnabled policy through local_satte

Map the BuiltinCertificateVerifierEnabled policy to a local_state pref, relying on ChromeOS on the proxying of primary user policies to the device-wide PolicyService. This has not been possible previously due to https://crbug.com/982936. This will make it easier to expand the scope of the policy to other platforms in a consistent way. Bug: 978069 Test: browser_tests --gtest_filter=*ProfileNetworkContextService* Change-Id: Ifc0032e81c78a99d4686bc18693aef72fd97e38d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1807225Reviewed-by: Matt Mueller <mattm@chromium.org> Commit-Queue: Pavol Marko <pmarko@chromium.org> Cr-Commit-Position: refs/heads/master@{#697374}

Use mapped pref for BuiltinCertificateVerifierEnabled policy through local_satte
Map the BuiltinCertificateVerifierEnabled policy to a local_state pref, relying on ChromeOS on the proxying of primary user policies to the device-wide PolicyService. This has not been possible previously due to https://crbug.com/982936. This will make it easier to expand the scope of the policy to other platforms in a consistent way. Bug: 978069 Test: browser_tests --gtest_filter=*ProfileNetworkContextService* Change-Id: Ifc0032e81c78a99d4686bc18693aef72fd97e38d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1807225Reviewed-by: Matt Mueller <mattm@chromium.org> Commit-Queue: Pavol Marko <pmarko@chromium.org> Cr-Commit-Position: refs/heads/master@{#697374}
512d2c94 · Pavol Marko · Commit Bot · 56ba0875 · 512d2c94 · 512d2c94
Commit 512d2c94 authored Sep 17, 2019 by Pavol Marko Committed by Commit Bot Sep 17, 2019
Showing with 10 additions and 45 deletions

chrome/browser/net/profile_network_context_service.cc chrome/browser/net/profile_network_context_service.cc +7 -44

chrome/test/data/policy/policy_test_cases.json chrome/test/data/policy/policy_test_cases.json +3 -1

No files found.
--- a/chrome/browser/net/profile_network_context_service.cc
+++ b/chrome/browser/net/profile_network_context_service.cc
@@ -94,17 +94,6 @@ std::string ComputeAcceptLanguageFromPref(const std::string& language_pref) {
 }

 #if defined(OS_CHROMEOS)
-Profile* GetPrimaryProfile() {
-  // Obtains the primary profile.
-  if (!user_manager::UserManager::IsInitialized())
-    return nullptr;
-  const user_manager::User* primary_user =
-      user_manager::UserManager::Get()->GetPrimaryUser();
-  if (!primary_user)
-    return nullptr;
-  return chromeos::ProfileHelper::Get()->GetProfileByUser(primary_user);
-}
-
 bool ShouldUseBuiltinCertVerifier(Profile* profile) {
  base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
  if (command_line->HasSwitch(chromeos::switches::kForceCertVerifierBuiltin))
@@ -115,34 +104,8 @@ bool ShouldUseBuiltinCertVerifier(Profile* profile) {
    return true;
  }

-  // TODO(https://crbug.com/982936): Instead of evaluating the primary profile
-  // prefs explicitly, register the pref with LocalState and evaluate the pref
-  // there. Note that currently that is not possible because the LocalState
-  // prefs may not reflect the primary profile policy state at the time this
-  // function is executed.
-
-  // Explicitly check if |profile| is the primary profile. GetPrimaryProfile
-  // only returns non-null pretty late in the primary profile initialization
-  // stage, and the NetworkContext is created before that.
-  Profile* primary_profile = nullptr;
-  if (chromeos::ProfileHelper::Get()->IsPrimaryProfile(profile))
-    primary_profile = profile;
-
-  if (!primary_profile)
-    primary_profile = GetPrimaryProfile();
-  if (!primary_profile) {
-    NOTREACHED();
-    return base::FeatureList::IsEnabled(
-        net::features::kCertVerifierBuiltinFeature);
-  }
-
-  // The policy evaluated through the pref is not updatable dynamically, so
-  // assert that the pref system is already initialized at the time this is
-  // called.
-  DCHECK_NE(PrefService::INITIALIZATION_STATUS_WAITING,
-            primary_profile->GetPrefs()->GetInitializationStatus());
  const PrefService::Preference* builtin_cert_verifier_enabled_pref =
-      primary_profile->GetPrefs()->FindPreference(
+      g_browser_process->local_state()->FindPreference(
          prefs::kBuiltinCertificateVerifierEnabled);
  if (builtin_cert_verifier_enabled_pref->IsManaged())
    return builtin_cert_verifier_enabled_pref->GetValue()->GetBool();
@@ -271,18 +234,18 @@ void ProfileNetworkContextService::UpdateAdditionalCertificates() {
 void ProfileNetworkContextService::RegisterProfilePrefs(
    user_prefs::PrefRegistrySyncable* registry) {
  registry->RegisterBooleanPref(prefs::kQuicAllowed, true);
-#if defined(OS_CHROMEOS)
-  // Note that the default value is not relevant because the pref is only
-  // evaluated when it is managed.
-  registry->RegisterBooleanPref(prefs::kBuiltinCertificateVerifierEnabled,
-                                false);
-#endif
 }

 // static
 void ProfileNetworkContextService::RegisterLocalStatePrefs(
    PrefRegistrySimple* registry) {
  registry->RegisterListPref(prefs::kHSTSPolicyBypassList);
+#if defined(OS_CHROMEOS)
+  // Note that the default value is not relevant because the pref is only
+  // evaluated when it is managed.
+  registry->RegisterBooleanPref(prefs::kBuiltinCertificateVerifierEnabled,
+                                false);
+#endif
 }

 void ProfileNetworkContextService::DisableQuicIfNotAllowed() {

--- a/chrome/test/data/policy/policy_test_cases.json
+++ b/chrome/test/data/policy/policy_test_cases.json
@@ -911,7 +911,9 @@
    "os": ["chromeos"],
    "test_policy": { "BuiltinCertificateVerifierEnabled": true },
    "pref_mappings": [
-      { "pref": "builtin_certificate_verifier_enabled" }
+      { "pref": "builtin_certificate_verifier_enabled",
+        "local_state": true
+      }
    ]
  },