Unconditionally use CertVerifierBuiltin for sign-in/lock profiles

Starting with M-78, use CertVerifierBuiltin for sign-in/lock profiles unconditionally. This allows easier reasoning about the state when implementing features that rely on the CertVerifierBuiltin to be enabled on the sign-in screen. Bug: 939344 Test: browser_tests --gtest_filter=*ProfileNetworkContext* Change-Id: I5d53b1b534370592fbd57d9bbbbc830962f32388 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1750004 Commit-Queue: Pavol Marko <pmarko@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#686593}

Unconditionally use CertVerifierBuiltin for sign-in/lock profiles
Starting with M-78, use CertVerifierBuiltin for sign-in/lock profiles unconditionally. This allows easier reasoning about the state when implementing features that rely on the CertVerifierBuiltin to be enabled on the sign-in screen. Bug: 939344 Test: browser_tests --gtest_filter=*ProfileNetworkContext* Change-Id: I5d53b1b534370592fbd57d9bbbbc830962f32388 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1750004 Commit-Queue: Pavol Marko <pmarko@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#686593}
74427c0a · Pavol Marko · Commit Bot · 6aa36d4d · 74427c0a · 74427c0a
Commit 74427c0a authored Aug 13, 2019 by Pavol Marko Committed by Commit Bot Aug 13, 2019
2 changed files
--- a/chrome/browser/net/profile_network_context_service.cc
+++ b/chrome/browser/net/profile_network_context_service.cc
@@ -109,11 +109,7 @@ bool ShouldUseBuiltinCertVerifier(Profile* profile) {

  if (chromeos::ProfileHelper::Get()->IsSigninProfile(profile) ||
      chromeos::ProfileHelper::Get()->IsLockScreenAppProfile(profile)) {
-    // No need to override the feature-set setting through policy for sign-in
-    // and lock screen app profiles, as no custom trust anchors can be active
-    // there.
-    return base::FeatureList::IsEnabled(
-        net::features::kCertVerifierBuiltinFeature);
+    return true;
  }

  // TODO(https://crbug.com/982936): Instead of evaluating the primary profile

--- a/chrome/browser/net/profile_network_context_service_browsertest.cc
+++ b/chrome/browser/net/profile_network_context_service_browsertest.cc
@@ -320,25 +320,26 @@ class ProfileNetworkContextServiceCertVerifierBuiltinDisabledBrowsertest
      ProfileNetworkContextServiceCertVerifierBuiltinDisabledBrowsertest);
 };

-// If the built-in cert verifier is disabled, it should be disabled everywhere.
+// If the built-in cert verifier feature is disabled, it should be disabled in
+// user profiles but enabled in the sign-in profile.
 IN_PROC_BROWSER_TEST_F(
    ProfileNetworkContextServiceCertVerifierBuiltinDisabledBrowsertest,
    TurnedOffByFeature) {
  SkipToLoginScreen();
-  EXPECT_FALSE(IsSigninProfileUsingBuiltinCertVerifier());
+  EXPECT_TRUE(IsSigninProfileUsingBuiltinCertVerifier());

  LogIn(kAccountId, kAccountPassword, kEmptyServices);

  EXPECT_FALSE(IsActiveProfileUsingBuiltinCertVerifier());
 }

-// If the built-in cert verifier is disabled, but policy force-enables it for a
-// profile, it should be enabled in the profile.
+// If the built-in cert verifier feature is disabled, but policy force-enables
+// it for a profile, it should be enabled in the profile.
 IN_PROC_BROWSER_TEST_F(
    ProfileNetworkContextServiceCertVerifierBuiltinDisabledBrowsertest,
    TurnedOffByFeatureOverrideByPolicy) {
  SkipToLoginScreen();
-  EXPECT_FALSE(IsSigninProfileUsingBuiltinCertVerifier());
+  EXPECT_TRUE(IsSigninProfileUsingBuiltinCertVerifier());

  SetPolicyValue(policy::key::kBuiltinCertificateVerifierEnabled,
                 base::Value(true));