Resubmit: Read allowed domains from omaha policy.

This is the exact change (after conflict resolution) as the one reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/2446546 which was reverted in https://chromium-review.googlesource.com/c/chromium/src/+/2453393 due to breaking component builds. That issue has been fixed.

When cloud policies is enabled, GCPW will try to read the list of allowed domains from Omaha policy if they have been fetched already. If not it will fall back to the registry entry as before.

Bug: 1134817
Change-Id: If4e50a4c9532e897fabf7470688a83b3653a56bc
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2496183Reviewed-by: S. Ganesh <ganesh@chromium.org>
Reviewed-by: Rakesh Soma <rakeshsoma@google.com>
Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org>
Reviewed-by: Yusuf Sengul <yusufsn@google.com>
Commit-Queue: Robin Lewis <wrlewis@google.com>
Cr-Commit-Position: refs/heads/master@{#820783}

chrome/credential_provider/DEPS

@@ -2,7 +2,9 @@ include_rules = [
   "+chrome/common",
   "+chrome/installer/launcher_support",
   "+chrome/installer/util",
+  "+chrome/updater/protos",
   "+components/crash",
+  "+components/policy/proto",
   "+google_apis",
   "+third_party/boringssl/src/include",
   "+third_party/re2",

chrome/credential_provider/common/gcp_strings.cc

@@ -47,6 +47,8 @@ const wchar_t kDesktopFullName[] = L"WinSta0\\Winlogon";
 // Google Update related registry paths.
 #define GCPW_UPDATE_CLIENT_GUID L"{32987697-A14E-4B89-84D6-630D5431E831}"
 
+const wchar_t kGcpwUpdateClientGuid[] = GCPW_UPDATE_CLIENT_GUID;
+
 const wchar_t kRegUpdaterClientStateAppPath[] =
     L"SOFTWARE\\Google\\Update\\ClientState\\" GCPW_UPDATE_CLIENT_GUID;
 const wchar_t kRegUpdaterClientsAppPath[] =

chrome/credential_provider/common/gcp_strings.h

@@ -72,6 +72,9 @@ extern const wchar_t kLsaKeyGaiaPassword[];
 extern const wchar_t kDesktopName[];
 extern const wchar_t kDesktopFullName[];
 
+// GUID used by Google Update client for GCPW application.
+extern const wchar_t kGcpwUpdateClientGuid[];
+
 // Google Update related registry paths.
 extern const wchar_t kRegUpdaterClientStateAppPath[];
 extern const wchar_t kRegUpdaterClientsAppPath[];

chrome/credential_provider/gaiacp/BUILD.gn

@@ -120,6 +120,8 @@ component("policies") {
     ":util",
     "../extension:extension_lib",
     "//base",
+    "//chrome/updater/protos:omaha_proto",
+    "//components/policy/proto",
     "//url",
   ]
 }

chrome/credential_provider/gaiacp/device_policies.cc

@@ -4,6 +4,8 @@
 
 #include "chrome/credential_provider/gaiacp/device_policies.h"
 
+#include "base/strings/string_split.h"
+#include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "chrome/credential_provider/common/gcp_strings.h"
 #include "chrome/credential_provider/gaiacp/gcp_utils.h"
@@ -19,6 +21,18 @@ constexpr bool kDevicePolicyDefaultDeviceEnrollment = true;
 constexpr bool kDevicePolicyDefaultGcpwAutoUpdate = true;
 constexpr bool kDevicePolicyDefaultMultiUserLogin = true;
 
+// Read the list of domains allowed to login from registry.
+std::vector<base::string16> GetRegistryEmailDomains() {
+  base::string16 email_domains_reg =
+      GetGlobalFlagOrDefault(kEmailDomainsKey, L"");
+  base::string16 email_domains_reg_new =
+      GetGlobalFlagOrDefault(kEmailDomainsKeyNew, L"");
+  base::string16 email_domains =
+      email_domains_reg.empty() ? email_domains_reg_new : email_domains_reg;
+  return base::SplitString(email_domains, L",",
+                           base::WhitespaceHandling::TRIM_WHITESPACE,
+                           base::SplitResult::SPLIT_WANT_NONEMPTY);
+}
 }  // namespace
 
 // static
@@ -46,6 +60,7 @@ DevicePolicies::DevicePolicies()
       enable_gcpw_auto_update(kDevicePolicyDefaultGcpwAutoUpdate),
       enable_multi_user_login(kDevicePolicyDefaultMultiUserLogin) {
   // Override with the policies set in the registry.
+  domains_allowed_to_login = GetRegistryEmailDomains();
 
   base::string16 mdm_url = GetGlobalFlagOrDefault(kRegMdmUrl, kDefaultMdmUrl);
   DWORD reg_enable_dm_enrollment;
@@ -84,4 +99,8 @@ bool DevicePolicies::operator==(const DevicePolicies& other) const {
          (domains_allowed_to_login == other.domains_allowed_to_login);
 }
 
+base::string16 DevicePolicies::GetAllowedDomainsStr() const {
+  return base::JoinString(domains_allowed_to_login, L",");
+}
+
 }  // namespace credential_provider

chrome/credential_provider/gaiacp/device_policies.h

@@ -48,6 +48,9 @@ struct COMPONENT_EXPORT(GCPW_POLICIES) DevicePolicies {
   void MergeWith(const DevicePolicies& other);
 
   bool operator==(const DevicePolicies& other) const;
+
+  // Get a string with comma separated values from domains_allowed_to_login.
+  base::string16 GetAllowedDomainsStr() const;
 };
 
 }  // namespace credential_provider

chrome/credential_provider/gaiacp/device_policies_manager.cc

@@ -6,12 +6,15 @@
 
 #include <limits>
 
+#include "base/base64.h"
 #include "base/files/file.h"
 #include "base/files/file_util.h"
 #include "base/json/json_reader.h"
 #include "base/json/json_writer.h"
+#include "base/path_service.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_split.h"
+#include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/values.h"
 #include "base/win/registry.h"
@@ -23,14 +26,124 @@
 #include "chrome/credential_provider/gaiacp/reg_utils.h"
 #include "chrome/credential_provider/gaiacp/user_policies_manager.h"
 #include "chrome/credential_provider/gaiacp/win_http_url_fetcher.h"
+#include "chrome/updater/protos/omaha_settings.pb.h"
+#include "components/policy/proto/device_management_backend.pb.h"
+
+using ::enterprise_management::PolicyData;
+using ::enterprise_management::PolicyFetchResponse;
+using ::wireless_android_enterprise_devicemanagement::ApplicationSettings;
+using ::wireless_android_enterprise_devicemanagement::
+    GcpwSpecificApplicationSettings;
+using ::wireless_android_enterprise_devicemanagement::OmahaSettingsClientProto;
+
+namespace credential_provider {
 
 namespace {
 // Character used to separate the update channel and version components in the
 // update tracks value.
 const wchar_t kChannelAndVersionSeparator[] = L"-";
-}  // namespace
 
-namespace credential_provider {
+// Name of the file used to store the policies on disk by Omaha that it receives
+// from the DMServer.
+constexpr char kOmahaPolicyFileName[] = "PolicyFetchResponse";
+
+// Directory name where Omaha policies are stored.
+constexpr char kOmahaPoliciesDirName[] = "Policies";
+
+// The policy type for Omaha policy settings.
+constexpr char kOmahaPolicyType[] = "google/machine-level-omaha";
+
+// Gets the file path where Omaha policies for the device are stored.
+base::FilePath GetOmahaPolicyFilePath() {
+  base::FilePath policy_dir;
+  if (!base::PathService::Get(base::DIR_PROGRAM_FILESX86, &policy_dir)) {
+    HRESULT hr = HRESULT_FROM_WIN32(::GetLastError());
+    LOGFN(ERROR) << "PathService::Get(DIR_PROGRAM_FILESX86) hr=" << putHR(hr);
+    return base::FilePath();
+  }
+
+  std::string encoded_omaha_policy_type;
+  base::Base64Encode(kOmahaPolicyType, &encoded_omaha_policy_type);
+  policy_dir = policy_dir.Append(GetInstallParentDirectoryName())
+                   .AppendASCII(kOmahaPoliciesDirName)
+                   .AppendASCII(encoded_omaha_policy_type);
+
+  base::FilePath policy_file_path =
+      policy_dir.AppendASCII(kOmahaPolicyFileName);
+  return policy_file_path;
+}
+
+// Returns a parsed proto of the Omaha policy fetch response stored on disk from
+// the last time Omaha synced the policies from the backend server.
+std::unique_ptr<PolicyFetchResponse> ReadOmahaPolicyFromDisk() {
+  LOGFN(VERBOSE);
+
+  base::FilePath policy_file_path = GetOmahaPolicyFilePath();
+  std::string policy_blob;
+
+  if (!base::PathExists(policy_file_path) ||
+      !base::ReadFileToString(policy_file_path, &policy_blob)) {
+    LOGFN(WARNING) << "Omaha policy not found in " << policy_file_path;
+    return nullptr;
+  }
+
+  auto policy_fetch_response = std::make_unique<PolicyFetchResponse>();
+  if (policy_blob.empty() ||
+      !policy_fetch_response->ParseFromString(policy_blob)) {
+    LOGFN(ERROR) << "Omaha policy corrupted!";
+    return nullptr;
+  }
+
+  return policy_fetch_response;
+}
+
+// Get the list of domains allowed to login as defined by the cloud policy
+// fetched by Omaha.
+bool GetAllowedDomainsToLoginFromCloudPolicy(
+    std::vector<base::string16>* domains) {
+  DCHECK(domains);
+
+  std::unique_ptr<PolicyFetchResponse> policy_fetch_response =
+      ReadOmahaPolicyFromDisk();
+  if (!policy_fetch_response) {
+    return false;
+  }
+
+  PolicyData policy_data;
+  if (!policy_fetch_response->has_policy_data() ||
+      !policy_data.ParseFromString(policy_fetch_response->policy_data()) ||
+      !policy_data.has_policy_value()) {
+    LOGFN(ERROR) << "Cloud policy data not found!";
+    return false;
+  }
+
+  OmahaSettingsClientProto omaha_settings;
+  omaha_settings.ParseFromString(policy_data.policy_value());
+
+  bool found_gcpw_settings = false;
+  for (const ApplicationSettings& app_setting :
+       omaha_settings.application_settings()) {
+    if (app_setting.app_guid() == base::UTF16ToUTF8(kGcpwUpdateClientGuid) &&
+        app_setting.has_gcpw_application_settings()) {
+      found_gcpw_settings = true;
+      const GcpwSpecificApplicationSettings& gcpw_settings =
+          app_setting.gcpw_application_settings();
+
+      domains->clear();
+      for (const std::string& domain :
+           gcpw_settings.domains_allowed_to_login()) {
+        domains->push_back(base::UTF8ToUTF16(domain));
+      }
+      LOGFN(VERBOSE) << "Cloud policy domains: "
+                     << base::JoinString(*domains, L",");
+
+      break;
+    }
+  }
+
+  return found_gcpw_settings;
+}
+}  // namespace
 
 // static
 DevicePoliciesManager* DevicePoliciesManager::Get() {
@@ -87,6 +200,14 @@ void DevicePoliciesManager::GetDevicePolicies(DevicePolicies* device_policies) {
       device_policies->MergeWith(other_policies);
     }
   }
+
+  // Read allowed domains cloud policy.
+  std::vector<base::string16> domains_from_policy;
+  if (GetAllowedDomainsToLoginFromCloudPolicy(&domains_from_policy)) {
+    device_policies->domains_allowed_to_login = domains_from_policy;
+  } else {
+    LOGFN(VERBOSE) << "Allowed domains cloud policy not found";
+  }
 }
 
 void DevicePoliciesManager::EnforceGcpwUpdatePolicy() {
@@ -166,4 +287,31 @@ void DevicePoliciesManager::EnforceGcpwUpdatePolicy() {
   }
 }
 
+bool DevicePoliciesManager::SetAllowedDomainsOmahaPolicyForTesting(
+    const std::vector<base::string16>& domains) {
+  OmahaSettingsClientProto omaha_settings;
+  ApplicationSettings* app_settings = omaha_settings.add_application_settings();
+  app_settings->set_app_guid(base::UTF16ToUTF8(kGcpwUpdateClientGuid));
+  GcpwSpecificApplicationSettings* gcpw_settings =
+      app_settings->mutable_gcpw_application_settings();
+
+  for (const base::string16& domain : domains) {
+    gcpw_settings->add_domains_allowed_to_login(base::UTF16ToUTF8(domain));
+  }
+
+  PolicyData policy_data;
+  std::string policy_value = omaha_settings.SerializeAsString();
+  policy_data.set_policy_value(policy_value);
+
+  PolicyFetchResponse policy_fetch_response;
+  policy_fetch_response.set_error_code(200);
+  std::string policy_data_str = policy_data.SerializeAsString();
+  policy_fetch_response.set_policy_data(policy_data_str);
+
+  base::FilePath policy_file_path = GetOmahaPolicyFilePath();
+  std::string policy_response_str = policy_fetch_response.SerializeAsString();
+  base::CreateDirectory(policy_file_path.DirName());
+  return base::WriteFile(policy_file_path, policy_response_str);
+}
+
 }  // namespace credential_provider

chrome/credential_provider/gaiacp/device_policies_manager.h

@@ -26,6 +26,11 @@ class COMPONENT_EXPORT(GCPW_POLICIES) DevicePoliciesManager {
   // Make sure GCPW update is set up correctly.
   void EnforceGcpwUpdatePolicy();
 
+  // Creates an Omaha policy with the list of allowed |domains| for GCPW to be
+  // used in tests.
+  bool SetAllowedDomainsOmahaPolicyForTesting(
+      const std::vector<base::string16>& domains);
+
  protected:
   // Returns the storage used for the instance pointer.
   static DevicePoliciesManager** GetInstanceStorage();

chrome/credential_provider/gaiacp/device_policies_manager_unittests.cc

@@ -5,6 +5,8 @@
 #include <windows.h>
 
 #include "base/strings/string_number_conversions.h"
+#include "base/strings/string_split.h"
+#include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
 #include "chrome/credential_provider/gaiacp/device_policies_manager.h"
@@ -204,5 +206,150 @@ INSTANTIATE_TEST_SUITE_P(All,
                                                               "100.1.2.3",
                                                               "100.1.2.4")));
 
+// Base test for testing allowed domains policy scenarios.
+class GcpDevicePoliciesAllowedDomainsBaseTest
+    : public GcpDevicePoliciesBaseTest {
+ public:
+  void SetUp() override;
+};
+
+void GcpDevicePoliciesAllowedDomainsBaseTest::SetUp() {
+  GcpDevicePoliciesBaseTest::SetUp();
+
+  // Delete any existing registry entries. Setting to empty deletes them.
+  SetGlobalFlagForTesting(L"ed", L"");
+  SetGlobalFlagForTesting(L"domains_allowed_to_login", L"");
+}
+
+// Test that correct allowed domains policy is obtained whether they are set in
+// the registry or through the cloud policy.
+// Parameters are:
+// 1. bool : Whether domains set through Omaha cloud policy.
+// 2. int  : 0 - Domains not set through registry.
+//           1 - Domains set through deprecated "ed" registry entry.
+//           2 - Domains set through "domains_allowed_to_login" registry entry.
+// 3. string : List of domains from which users are allowed to login.
+// 4. bool : Has existing user.
+class GcpDevicePoliciesAllowedDomainsTest
+    : public GcpDevicePoliciesAllowedDomainsBaseTest,
+      public ::testing::WithParamInterface<
+          std::tuple<bool, int, const wchar_t*, bool>> {};
+
+TEST_P(GcpDevicePoliciesAllowedDomainsTest, OmahaPolicyTest) {
+  bool has_omaha_domains_policy = std::get<0>(GetParam());
+  bool has_registry_domains_policy = std::get<1>(GetParam()) != 0;
+  bool use_old_domains_reg_key = std::get<1>(GetParam()) == 1;
+  base::string16 allowed_domains_str(std::get<2>(GetParam()));
+  bool has_existing_user = std::get<3>(GetParam());
+
+  std::vector<base::string16> allowed_domains = base::SplitString(
+      allowed_domains_str, L",", base::WhitespaceHandling::TRIM_WHITESPACE,
+      base::SplitResult::SPLIT_WANT_NONEMPTY);
+
+  if (has_omaha_domains_policy) {
+    ASSERT_TRUE(
+        DevicePoliciesManager::Get()->SetAllowedDomainsOmahaPolicyForTesting(
+            allowed_domains));
+  }
+
+  if (has_registry_domains_policy) {
+    if (use_old_domains_reg_key) {
+      SetGlobalFlagForTesting(L"ed", allowed_domains_str);
+    } else {
+      SetGlobalFlagForTesting(L"domains_allowed_to_login", allowed_domains_str);
+    }
+  }
+
+  FakeUserPoliciesManager fake_user_policies_manager(true);
+  UserPolicies user_policy;
+
+  if (has_existing_user) {
+    CComBSTR sid;
+    ASSERT_EQ(S_OK,
+              fake_os_user_manager()->CreateTestOSUser(
+                  kDefaultUsername, L"password", L"Full Name", L"comment",
+                  base::UTF8ToUTF16(kDefaultGaiaId), base::string16(), &sid));
+    // Add a random user policy.
+    user_policy.enable_dm_enrollment = false;
+    user_policy.enable_gcpw_auto_update = false;
+    user_policy.enable_multi_user_login = false;
+    user_policy.gcpw_pinned_version = GcpwVersion("100.1.2.3");
+
+    fake_user_policies_manager.SetUserPolicies(OLE2W(sid), user_policy);
+  }
+
+  DevicePolicies device_policies;
+  DevicePoliciesManager::Get()->GetDevicePolicies(&device_policies);
+
+  if (has_omaha_domains_policy || has_registry_domains_policy)
+    ASSERT_EQ(allowed_domains, device_policies.domains_allowed_to_login);
+
+  if (has_existing_user) {
+    ASSERT_EQ(user_policy.enable_dm_enrollment,
+              device_policies.enable_dm_enrollment);
+    ASSERT_EQ(user_policy.enable_gcpw_auto_update,
+              device_policies.enable_gcpw_auto_update);
+    ASSERT_EQ(user_policy.enable_multi_user_login,
+              device_policies.enable_multi_user_login);
+    ASSERT_EQ(user_policy.gcpw_pinned_version,
+              device_policies.gcpw_pinned_version);
+  }
+}
+
+INSTANTIATE_TEST_SUITE_P(
+    All,
+    GcpDevicePoliciesAllowedDomainsTest,
+    ::testing::Combine(
+        ::testing::Bool(),
+        ::testing::Values(0, 1, 2),
+        ::testing::Values(L"", L"acme.com", L"acme.com,acme.org"),
+        ::testing::Bool()));
+
+// Test to ensure Omaha policies override the existing registry settings for
+// allowed domains policy.
+// Parameters are:
+// 1. bool : If true, deprecated "ed" registry entry is used. Otherwise
+//           "domains_allowed_to_login" is used.
+// 2. string : List of allowed domains for GCPW specified through registry.
+// 3. string : List of allowed domains for GCPW specified through a Omaha cloud
+//             policy.
+class GcpDevicePoliciesOmahaDomainsWinTest
+    : public GcpDevicePoliciesAllowedDomainsBaseTest,
+      public ::testing::WithParamInterface<
+          std::tuple<bool, const wchar_t*, const wchar_t*>> {};
+
+TEST_P(GcpDevicePoliciesOmahaDomainsWinTest, TestConflict) {
+  bool use_old_domains_reg_key = std::get<0>(GetParam());
+  base::string16 domains_registry_str(std::get<1>(GetParam()));
+  base::string16 domains_from_omaha_str(std::get<2>(GetParam()));
+
+  std::vector<base::string16> allowed_domains_omaha = base::SplitString(
+      domains_from_omaha_str, L",", base::WhitespaceHandling::TRIM_WHITESPACE,
+      base::SplitResult::SPLIT_WANT_NONEMPTY);
+
+  ASSERT_TRUE(
+      DevicePoliciesManager::Get()->SetAllowedDomainsOmahaPolicyForTesting(
+          allowed_domains_omaha));
+
+  if (use_old_domains_reg_key) {
+    SetGlobalFlagForTesting(L"ed", domains_registry_str);
+  } else {
+    SetGlobalFlagForTesting(L"domains_allowed_to_login", domains_registry_str);
+  }
+
+  DevicePolicies device_policies;
+  DevicePoliciesManager::Get()->GetDevicePolicies(&device_policies);
+
+  ASSERT_EQ(allowed_domains_omaha, device_policies.domains_allowed_to_login);
+}
+
+INSTANTIATE_TEST_SUITE_P(
+    All,
+    GcpDevicePoliciesOmahaDomainsWinTest,
+    ::testing::Combine(
+        ::testing::Bool(),
+        ::testing::Values(L"", L"acme.com", L"acme.com,acme.org"),
+        ::testing::Values(L"", L"company.com", L"company.com,company.org")));
+
 }  // namespace testing
 }  // namespace credential_provider

chrome/credential_provider/gaiacp/gaia_credential_base.cc

@@ -71,8 +71,6 @@ namespace credential_provider {
 
 namespace {
 
-constexpr wchar_t kEmailDomainsKey[] = L"ed";  // deprecated.
-constexpr wchar_t kEmailDomainsKeyNew[] = L"domains_allowed_to_login";
 constexpr wchar_t kPermittedAccounts[] = L"permitted_accounts";
 constexpr wchar_t kPermittedAccountsSeparator[] = L",";
 constexpr char kGetAccessTokenBodyWithScopeFormat[] =
@@ -116,6 +114,14 @@ base::string16 GetEmailDomains(
 }
 
 base::string16 GetEmailDomains() {
+  if (DevicePoliciesManager::Get()->CloudPoliciesEnabled()) {
+    DevicePolicies device_policies;
+    DevicePoliciesManager::Get()->GetDevicePolicies(&device_policies);
+    return device_policies.GetAllowedDomainsStr();
+  }
+
+  // TODO (crbug.com/1135458): Clean up directly reading from registry after
+  // cloud policies is launched.
   base::string16 email_domains_reg = GetEmailDomains(kEmailDomainsKey);
   base::string16 email_domains_reg_new = GetEmailDomains(kEmailDomainsKeyNew);
   return email_domains_reg.empty() ? email_domains_reg_new : email_domains_reg;

chrome/credential_provider/gaiacp/gaia_credential_base_unittests.cc

@@ -3780,5 +3780,73 @@ INSTANTIATE_TEST_SUITE_P(
                        ::testing::Values(L"", L"beta"),
                        ::testing::Values(L"", L"80.2.35.4")));
 
+// Test the allowed domains to login policy defined either through registry or
+// through a cloud policy.
+// Parameters are:
+// 1. int  : 0 - Domains set through cloud policy.
+//           1 - Domains set through deprecated "ed" registry entry.
+//           2 - Domains set through "domains_allowed_to_login" registry entry.
+// 2. string : List of domains from which users are allowed to login.
+class GcpGaiaCredentialBaseAllowedDomainsCloudPolicyTest
+    : public GcpGaiaCredentialBaseTest,
+      public ::testing::WithParamInterface<std::tuple<int, const wchar_t*>> {
+ public:
+  void SetUp() override;
+};
+
+void GcpGaiaCredentialBaseAllowedDomainsCloudPolicyTest::SetUp() {
+  GcpGaiaCredentialBaseTest::SetUp();
+
+  // Delete any existing registry entries. Setting to empty deletes them.
+  SetGlobalFlagForTesting(L"ed", L"");
+  SetGlobalFlagForTesting(L"domains_allowed_to_login", L"");
+}
+
+TEST_P(GcpGaiaCredentialBaseAllowedDomainsCloudPolicyTest, OmahaPolicyTest) {
+  bool cloud_policies_enabled = std::get<0>(GetParam()) == 0;
+  bool use_old_domains_reg_key = std::get<0>(GetParam()) == 1;
+  base::string16 allowed_domains(std::get<1>(GetParam()));
+
+  FakeDevicePoliciesManager fake_device_policies_manager(
+      cloud_policies_enabled);
+
+  if (cloud_policies_enabled) {
+    DevicePolicies device_policies;
+    if (!allowed_domains.empty()) {
+      device_policies.domains_allowed_to_login = base::SplitString(
+          allowed_domains, L",", base::WhitespaceHandling::TRIM_WHITESPACE,
+          base::SplitResult::SPLIT_WANT_NONEMPTY);
+    }
+    fake_device_policies_manager.SetDevicePolicies(device_policies);
+  } else if (use_old_domains_reg_key) {
+    SetGlobalFlagForTesting(L"ed", allowed_domains);
+  } else {
+    SetGlobalFlagForTesting(L"domains_allowed_to_login", allowed_domains);
+  }
+
+  // Create provider and start logon.
+  Microsoft::WRL::ComPtr<ICredentialProviderCredential> cred;
+
+  ASSERT_EQ(S_OK, InitializeProviderAndGetCredential(0, &cred));
+
+  if (allowed_domains.empty()) {
+    ASSERT_EQ(S_OK,
+              StartLogonProcess(/*succeeds=*/false, IDS_EMAIL_MISMATCH_BASE));
+  } else {
+    ASSERT_EQ(S_OK, StartLogonProcessAndWait());
+
+    // Finish logon successfully.
+    ASSERT_EQ(S_OK, FinishLogonProcess(true, true, 0));
+
+    ASSERT_EQ(S_OK, ReleaseProvider());
+  }
+}
+
+INSTANTIATE_TEST_SUITE_P(
+    All,
+    GcpGaiaCredentialBaseAllowedDomainsCloudPolicyTest,
+    ::testing::Combine(::testing::Values(0, 1, 2),
+                       ::testing::Values(L"", L"acme.com,acme.org")));
+
 }  // namespace testing
 }  // namespace credential_provider

chrome/credential_provider/gaiacp/reg_utils.cc

@@ -62,6 +62,8 @@ constexpr wchar_t kRegDeveloperMode[] = L"developer_mode";
 constexpr wchar_t kRegUpdateCredentialsOnChange[] =
     L"update_credentials_on_change";
 constexpr wchar_t kRegUseShorterAccountName[] = L"use_shorter_account_name";
+constexpr wchar_t kEmailDomainsKey[] = L"ed";  // deprecated.
+constexpr wchar_t kEmailDomainsKeyNew[] = L"domains_allowed_to_login";
 
 namespace {
 

chrome/credential_provider/gaiacp/reg_utils.h

@@ -79,6 +79,10 @@ extern const wchar_t kRegUpdateCredentialsOnChange[];
 // should be in shorter form.
 extern const wchar_t kRegUseShorterAccountName[];
 
+// Registry keys where list of domains allowed to login is specified.
+extern const wchar_t kEmailDomainsKey[];  // Older deprecated key.
+extern const wchar_t kEmailDomainsKeyNew[];
+
 // Gets any HKLM registry key on the system.
 HRESULT GetMachineRegDWORD(const base::string16& key_name,
                            const base::string16& name,

chrome/credential_provider/test/gls_runner_test_base.cc

@@ -149,11 +149,15 @@ void GlsRunnerTestBase::SetUp() {
   // the tests.
   InitializeRegistryOverrideForTesting(&registry_override_);
 
-  // Override location of "Program Files" system folder so we don't modify local
-  // machine settings.
+  // Override location of "Program Files" system folder and its x86 version so
+  // we don't modify local machine settings.
   ASSERT_TRUE(scoped_temp_program_files_dir_.CreateUniqueTempDir());
   program_files_override_.reset(new base::ScopedPathOverride(
       base::DIR_PROGRAM_FILES, scoped_temp_program_files_dir_.GetPath()));
+  ASSERT_TRUE(scoped_temp_program_files_x86_dir_.CreateUniqueTempDir());
+  program_files_x86_override_.reset(new base::ScopedPathOverride(
+      base::DIR_PROGRAM_FILESX86,
+      scoped_temp_program_files_x86_dir_.GetPath()));
 
   // Also override location of "ProgramData" system folder as we store user
   // policies there.

chrome/credential_provider/test/gls_runner_test_base.h

@@ -240,8 +240,10 @@ class GlsRunnerTestBase : public ::testing::Test {
   std::string default_token_handle_response_;
 
   base::ScopedTempDir scoped_temp_program_files_dir_;
+  base::ScopedTempDir scoped_temp_program_files_x86_dir_;
   base::ScopedTempDir scoped_temp_progdata_dir_;
   std::unique_ptr<base::ScopedPathOverride> program_files_override_;
+  std::unique_ptr<base::ScopedPathOverride> program_files_x86_override_;
   std::unique_ptr<base::ScopedPathOverride> programdata_override_;
 };