DLP: Fix DlpController::IsDataReadAllowed

- Refactored DataTransferDlpController::
IsDataReadAllowed so it'd be easier to identify
which types are supported and which aren't.
- ClipboardHistory endpoint should have given
a privilege access as a destination but it was
handled as source instead by mistake.
- Allowed data of any source to be read except
URLs given that it's the only type supported now
as a source.
- Disabled notification for Files app.

Bug: 1139835, 1136656
Change-Id: If10d3962e9f2ac7cc4353f4d133b043ad05abbec
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2556639Reviewed-by: Sergey Poromov <poromov@chromium.org>
Reviewed-by: Nikita Podguzov <nikitapodguzov@chromium.org>
Commit-Queue: Aya Elsayed <ayaelattar@chromium.org>
Cr-Commit-Position: refs/heads/master@{#830949}

chrome/browser/chromeos/policy/dlp/data_transfer_dlp_controller.cc

@@ -9,12 +9,42 @@
 #include "base/notreached.h"
 #include "chrome/browser/chromeos/policy/dlp/dlp_rules_manager.h"
 #include "chrome/browser/profiles/profile_manager.h"
+#include "extensions/common/constants.h"
 #include "ui/base/clipboard/clipboard.h"
 #include "ui/base/data_transfer_policy/data_transfer_endpoint.h"
 #include "url/gurl.h"
 
 namespace policy {
 
+namespace {
+
+bool IsFilesApp(const GURL& url) {
+  return url.has_scheme() && url.SchemeIs(extensions::kExtensionScheme) &&
+         url.has_host() && url.host() == extension_misc::kFilesManagerAppId;
+}
+
+DlpRulesManager::Level IsDstRestricted(const GURL& src, const GURL& dst) {
+  return DlpRulesManager::Get()->IsRestrictedDestination(
+      src, dst, DlpRulesManager::Restriction::kClipboard);
+}
+
+DlpRulesManager::Level IsGuestOsRestricted(const GURL& src) {
+  return DlpRulesManager::Get()->IsRestrictedAnyOfComponents(
+      src,
+      std::vector<DlpRulesManager::Component>{
+          DlpRulesManager::Component::kPluginVm,
+          DlpRulesManager::Component::kCrostini},
+      DlpRulesManager::Restriction::kClipboard);
+}
+
+DlpRulesManager::Level IsArcRestricted(const GURL& src) {
+  return DlpRulesManager::Get()->IsRestrictedComponent(
+      src, DlpRulesManager::Component::kArc,
+      DlpRulesManager::Restriction::kClipboard);
+}
+
+}  // namespace
+
 // static
 void DataTransferDlpController::Init() {
   if (!HasInstance())
@@ -24,38 +54,51 @@ void DataTransferDlpController::Init() {
 bool DataTransferDlpController::IsDataReadAllowed(
     const ui::DataTransferEndpoint* const data_src,
     const ui::DataTransferEndpoint* const data_dst) {
-  if (!data_src || data_src->type() == ui::EndpointType::kClipboardHistory) {
+  if (!data_src || !data_src->IsUrlType()) {  // Currently we only handle URLs.
     return true;
   }
 
+  const GURL src_url = data_src->origin()->GetURL();
   DlpRulesManager::Level level = DlpRulesManager::Level::kAllow;
+  bool notify_on_paste = !data_dst || data_dst->notify_if_restricted();
+  ui::EndpointType dst_type =
+      data_dst ? data_dst->type() : ui::EndpointType::kDefault;
 
-  if (!data_dst || data_dst->type() == ui::EndpointType::kDefault) {
-    // Passing empty URL will return restricted if there's a rule restricting
-    // the src against any dst (*), otherwise it will return ALLOW.
-    level = DlpRulesManager::Get()->IsRestrictedDestination(
-        data_src->origin()->GetURL(), GURL(),
-        DlpRulesManager::Restriction::kClipboard);
-  } else if (data_dst->IsUrlType()) {
-    level = DlpRulesManager::Get()->IsRestrictedDestination(
-        data_src->origin()->GetURL(), data_dst->origin()->GetURL(),
-        DlpRulesManager::Restriction::kClipboard);
-  } else if (data_dst->type() == ui::EndpointType::kGuestOs) {
-    level = DlpRulesManager::Get()->IsRestrictedAnyOfComponents(
-        data_src->origin()->GetURL(),
-        std::vector<DlpRulesManager::Component>{
-            DlpRulesManager::Component::kPluginVm,
-            DlpRulesManager::Component::kCrostini},
-        DlpRulesManager::Restriction::kClipboard);
-  } else if (data_dst->type() == ui::EndpointType::kArc) {
-    level = DlpRulesManager::Get()->IsRestrictedComponent(
-        data_src->origin()->GetURL(), DlpRulesManager::Component::kArc,
-        DlpRulesManager::Restriction::kClipboard);
-  } else {
-    NOTREACHED();
-  }
+  switch (dst_type) {
+    case ui::EndpointType::kDefault:
+      // Passing empty URL will return restricted if there's a rule restricting
+      // the src against any dst (*), otherwise it will return ALLOW.
+      level = IsDstRestricted(src_url, GURL());
+      break;
 
-  bool notify_on_paste = !data_dst || data_dst->notify_if_restricted();
+    case ui::EndpointType::kUrl: {
+      GURL dst_url = data_dst->origin()->GetURL();
+      level = IsDstRestricted(src_url, dst_url);
+      // Files Apps continously reads the clipboard data which triggers a lot of
+      // notifications while the user isn't actually initiating any copy/paste.
+      // TODO(crbug.com/1152475): Find a better way to handle File app.
+      if (IsFilesApp(dst_url))
+        notify_on_paste = false;
+      break;
+    }
+
+    case ui::EndpointType::kGuestOs:
+      level = IsGuestOsRestricted(src_url);
+      break;
+
+    case ui::EndpointType::kArc:
+      level = IsArcRestricted(src_url);
+      break;
+
+    case ui::EndpointType::kClipboardHistory:
+      // When ClipboardHistory tries to read the clipboard we should allow it
+      // silently.
+      notify_on_paste = false;
+      break;
+
+    default:
+      NOTREACHED();
+  }
 
   if (level == DlpRulesManager::Level::kBlock && notify_on_paste) {
     helper_.NotifyBlockedPaste(data_src, data_dst);