Commit 85bd68c7 authored by Anastasiia Nikolaienko's avatar Anastasiia Nikolaienko Committed by Commit Bot

Disallow secondary accounts in ARC for Child users

Project Beaker on Chrome OS is going to allow child users the addition
of secondary accounts, but it's going to be limited to web only.

- If user has transitioned from child account to regular -
TriggerAccountsPushToArc will add accounts to ARC on startup.
- If user has transitioned from regular account to child -
HandleSupervisionTransition will remove all secondary accounts from
ARC.

Update is going to be executed on startup, since to transition to
another type, user need to sign-out and sign-in again (I think).

ARC CL: http://ag/9615344

Bug: 1017160
Change-Id: I323a18aca9c9f63e6a3869d9b9dd4dd34432c31c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1876089Reviewed-by: default avatarMattias Nissler <mnissler@chromium.org>
Reviewed-by: default avatarYury Khmel <khmel@chromium.org>
Commit-Queue: Anastasiia Nikolaienko <anastasiian@chromium.org>
Cr-Commit-Position: refs/heads/master@{#711171}
parent 104865d0
...@@ -31,6 +31,7 @@ ...@@ -31,6 +31,7 @@
#include "chrome/browser/ui/settings_window_manager_chromeos.h" #include "chrome/browser/ui/settings_window_manager_chromeos.h"
#include "chrome/browser/ui/webui/signin/inline_login_handler_dialog_chromeos.h" #include "chrome/browser/ui/webui/signin/inline_login_handler_dialog_chromeos.h"
#include "chrome/common/webui_url_constants.h" #include "chrome/common/webui_url_constants.h"
#include "chromeos/constants/chromeos_features.h"
#include "components/arc/arc_browser_context_keyed_service_factory_base.h" #include "components/arc/arc_browser_context_keyed_service_factory_base.h"
#include "components/arc/arc_features.h" #include "components/arc/arc_features.h"
#include "components/arc/arc_prefs.h" #include "components/arc/arc_prefs.h"
...@@ -283,6 +284,13 @@ void ArcAuthService::OnConnectionReady() { ...@@ -283,6 +284,13 @@ void ArcAuthService::OnConnectionReady() {
if (arc::IsArcProvisioned(profile_)) { if (arc::IsArcProvisioned(profile_)) {
TriggerAccountManagerMigrationsIfRequired(profile_); TriggerAccountManagerMigrationsIfRequired(profile_);
TriggerAccountsPushToArc(false /* filter_primary_account */); TriggerAccountsPushToArc(false /* filter_primary_account */);
if (chromeos::features::IsEduCoexistenceEnabled() &&
GetSupervisionTransition(profile_) ==
ArcSupervisionTransition::REGULAR_TO_CHILD) {
// If profile transitioned from Child to Regular, accounts have already
// been pushed to ARC.
RemoveSecondaryAccountsFromArc();
}
} }
if (pending_get_arc_accounts_callback_) if (pending_get_arc_accounts_callback_)
...@@ -557,6 +565,11 @@ void ArcAuthService::OnRefreshTokenUpdatedForAccount( ...@@ -557,6 +565,11 @@ void ArcAuthService::OnRefreshTokenUpdatedForAccount(
if (!arc::IsArcProvisioned(profile_)) if (!arc::IsArcProvisioned(profile_))
return; return;
// For child device accounts do not allow the propagation of secondary
// accounts from Chrome OS Account Manager to ARC.
if (profile_->IsChild() && !IsPrimaryGaiaAccount(account_info.gaia))
return;
if (identity_manager_->HasAccountWithRefreshTokenInPersistentErrorState( if (identity_manager_->HasAccountWithRefreshTokenInPersistentErrorState(
account_info.account_id)) { account_info.account_id)) {
VLOG(1) << "Ignoring account update due to lack of a valid token: " VLOG(1) << "Ignoring account update due to lack of a valid token: "
...@@ -819,4 +832,13 @@ void ArcAuthService::OnMainAccountResolutionStatus( ...@@ -819,4 +832,13 @@ void ArcAuthService::OnMainAccountResolutionStatus(
UpdateMainAccountResolutionStatus(profile_, status); UpdateMainAccountResolutionStatus(profile_, status);
} }
void ArcAuthService::RemoveSecondaryAccountsFromArc() {
auto* instance = ARC_GET_INSTANCE_FOR_METHOD(arc_bridge_service_->auth(),
RemoveSecondaryAccounts);
if (!instance)
return;
instance->RemoveSecondaryAccounts();
}
} // namespace arc } // namespace arc
...@@ -193,6 +193,10 @@ class ArcAuthService : public KeyedService, ...@@ -193,6 +193,10 @@ class ArcAuthService : public KeyedService,
// Response for |mojom::GetMainAccountResolutionStatus|. // Response for |mojom::GetMainAccountResolutionStatus|.
void OnMainAccountResolutionStatus(mojom::MainAccountResolutionStatus status); void OnMainAccountResolutionStatus(mojom::MainAccountResolutionStatus status);
// Removes secondary accounts from ARC. For child device accounts propagation
// of secondary accounts from Chrome OS Account Manager to ARC is not allowed.
void RemoveSecondaryAccountsFromArc();
// Non-owning pointers. // Non-owning pointers.
Profile* const profile_; Profile* const profile_;
signin::IdentityManager* const identity_manager_; signin::IdentityManager* const identity_manager_;
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
// Use of this source code is governed by a BSD-style license that can be // Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file. // found in the LICENSE file.
// Next MinVersion: 23 // Next MinVersion: 24
module arc.mojom; module arc.mojom;
...@@ -338,7 +338,7 @@ interface AuthHost { ...@@ -338,7 +338,7 @@ interface AuthHost {
[MinVersion=20] HandleUpdateCredentialsRequest@17(string account_name); [MinVersion=20] HandleUpdateCredentialsRequest@17(string account_name);
}; };
// Next Method ID: 6 // Next Method ID: 7
interface AuthInstance { interface AuthInstance {
// DEPRECATED: Please use Init@2 instead. // DEPRECATED: Please use Init@2 instead.
InitDeprecated@0(AuthHost host_ptr); InitDeprecated@0(AuthHost host_ptr);
...@@ -371,4 +371,12 @@ interface AuthInstance { ...@@ -371,4 +371,12 @@ interface AuthInstance {
// Gets resolution status of main account for statistics reporting. // Gets resolution status of main account for statistics reporting.
[MinVersion=22] GetMainAccountResolutionStatus@5() [MinVersion=22] GetMainAccountResolutionStatus@5()
=> (MainAccountResolutionStatus status); => (MainAccountResolutionStatus status);
// A notification that all secondary accounts should be removed from ARC.
// Equivalent to calling |OnAccountUpdated| with AccountUpdateType::REMOVAL
// for each secondary account and in case of inconsistency between Chrome OS
// Account Manager and ARC accounts, inconsistent accounts will be also
// removed from ARC. Should be called on transition from Regular to Child
// account type.
[MinVersion=23] RemoveSecondaryAccounts@6();
}; };
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment