Disallow Easy Unlock in secondary user profiles.

BUG=398946
TEST=manual and browser test

Review URL: https://codereview.chromium.org/442833002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@288004 0039d316-1c4b-4281-b951-d872f2087c98

chrome/browser/chromeos/profiles/profile_helper.cc

@@ -177,6 +177,16 @@ bool ProfileHelper::IsOwnerProfile(Profile* profile) {
   return user->email() == chromeos::UserManager::Get()->GetOwnerEmail();
 }
 
+//static
+bool ProfileHelper::IsPrimaryProfile(Profile* profile) {
+  if (!profile)
+    return false;
+  user_manager::User* user = ProfileHelper::Get()->GetUserByProfile(profile);
+  if (!user)
+    return false;
+  return user == chromeos::UserManager::Get()->GetPrimaryUser();
+}
+
 void ProfileHelper::ProfileStartup(Profile* profile, bool process_startup) {
   // Initialize Chrome OS preferences like touch pad sensitivity. For the
   // preferences to work in the guest mode, the initialization has to be

chrome/browser/chromeos/profiles/profile_helper.h

@@ -85,6 +85,10 @@ class ProfileHelper : public BrowsingDataRemover::Observer,
   // Returns true when |profile| corresponds to owner's profile.
   static bool IsOwnerProfile(Profile* profile);
 
+  // Returns true when |profile| corresponds to the primary user profile
+  // of the current session.
+  static bool IsPrimaryProfile(Profile* profile);
+
   // Initialize a bunch of services that are tied to a browser profile.
   // TODO(dzhioev): Investigate whether or not this method is needed.
   void ProfileStartup(Profile* profile, bool process_startup);

chrome/browser/signin/easy_unlock_service.cc

@@ -24,6 +24,7 @@
 
 #if defined(OS_CHROMEOS)
 #include "chrome/browser/chromeos/login/users/user_manager.h"
+#include "chrome/browser/chromeos/profiles/profile_helper.h"
 #endif
 
 namespace {
@@ -90,6 +91,9 @@ bool EasyUnlockService::IsAllowed() {
   if (chromeos::UserManager::Get()->IsLoggedInAsGuest())
     return false;
 
+  if (!chromeos::ProfileHelper::IsPrimaryProfile(profile_))
+    return false;
+
   if (!profile_->GetPrefs()->GetBoolean(prefs::kEasyUnlockAllowed))
     return false;
 

chrome/browser/signin/easy_unlock_service_browsertest_chromeos.cc

@@ -6,6 +6,11 @@
 #include "base/macros.h"
 #include "base/run_loop.h"
 #include "base/values.h"
+#include "chrome/browser/chromeos/login/login_manager_test.h"
+#include "chrome/browser/chromeos/login/startup_utils.h"
+#include "chrome/browser/chromeos/login/ui/user_adding_screen.h"
+#include "chrome/browser/chromeos/login/users/user_manager.h"
+#include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/extensions/extension_service.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/signin/easy_unlock_service.h"
@@ -21,9 +26,31 @@
 #include "policy/policy_constants.h"
 #include "testing/gmock/include/gmock/gmock.h"
 
+using chromeos::ProfileHelper;
+using chromeos::LoginManagerTest;
+using chromeos::StartupUtils;
+using chromeos::UserAddingScreen;
+using chromeos::UserManager;
 using testing::_;
 using testing::Return;
 
+namespace {
+
+const char kTestUser1[] = "primary.user@example.com";
+const char kTestUser2[] = "secondary.user@example.com";
+
+#if defined(GOOGLE_CHROME_BUILD)
+bool HasEasyUnlockAppForProfile(Profile* profile) {
+  extensions::ExtensionSystem* extension_system =
+      extensions::ExtensionSystem::Get(profile);
+  ExtensionService* extension_service = extension_system->extension_service();
+  return !!extension_service->GetExtensionById(
+      extension_misc::kEasyUnlockAppId, false);
+}
+#endif
+
+} //namespace
+
 class EasyUnlockServiceTest : public InProcessBrowserTest {
  public:
   EasyUnlockServiceTest() {}
@@ -42,11 +69,7 @@ class EasyUnlockServiceTest : public InProcessBrowserTest {
 
 #if defined(GOOGLE_CHROME_BUILD)
   bool HasEasyUnlockApp() const {
-    extensions::ExtensionSystem* extension_system =
-        extensions::ExtensionSystem::Get(profile());
-    ExtensionService* extension_service = extension_system->extension_service();
-    return !!extension_service->GetExtensionById(
-        extension_misc::kEasyUnlockAppId, false);
+    return HasEasyUnlockAppForProfile(profile());
   }
 #endif
 
@@ -143,3 +166,43 @@ IN_PROC_BROWSER_TEST_F(EasyUnlockServiceFinchDisabledTest, StayDisabled) {
   EXPECT_FALSE(HasEasyUnlockApp());
 #endif
 }
+
+class EasyUnlockServiceMultiProfileTest : public LoginManagerTest {
+ public:
+  EasyUnlockServiceMultiProfileTest() : LoginManagerTest(false) {}
+  virtual ~EasyUnlockServiceMultiProfileTest() {}
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(EasyUnlockServiceMultiProfileTest);
+};
+
+IN_PROC_BROWSER_TEST_F(EasyUnlockServiceMultiProfileTest,
+                       PRE_DisallowedOnSecondaryProfile) {
+  RegisterUser(kTestUser1);
+  RegisterUser(kTestUser2);
+  StartupUtils::MarkOobeCompleted();
+}
+
+IN_PROC_BROWSER_TEST_F(EasyUnlockServiceMultiProfileTest,
+                       DisallowedOnSecondaryProfile) {
+  LoginUser(kTestUser1);
+  chromeos::UserAddingScreen::Get()->Start();
+  base::RunLoop().RunUntilIdle();
+  AddUser(kTestUser2);
+  const user_manager::User* primary_user =
+      UserManager::Get()->FindUser(kTestUser1);
+  const user_manager::User* secondary_user =
+      UserManager::Get()->FindUser(kTestUser2);
+
+  Profile* primary_profile = ProfileHelper::Get()->GetProfileByUserIdHash(
+      primary_user->username_hash());
+  Profile* secondary_profile = ProfileHelper::Get()->GetProfileByUserIdHash(
+      secondary_user->username_hash());
+
+  EXPECT_TRUE(EasyUnlockService::Get(primary_profile)->IsAllowed());
+  EXPECT_FALSE(EasyUnlockService::Get(secondary_profile)->IsAllowed());
+#if defined(GOOGLE_CHROME_BUILD)
+  EXPECT_TRUE(HasEasyUnlockAppForProfile(primary_profile));
+  EXPECT_FALSE(HasEasyUnlockAppForProfile(secondary_profile));
+#endif
+}