Disallow secondary accounts in ARC for Child users

Project Beaker on Chrome OS is going to allow child users the addition
of secondary accounts, but it's going to be limited to web only.

- If user has transitioned from child account to regular -
TriggerAccountsPushToArc will add accounts to ARC on startup.
- If user has transitioned from regular account to child -
HandleSupervisionTransition will remove all secondary accounts from
ARC.

Update is going to be executed on startup, since to transition to
another type, user need to sign-out and sign-in again (I think).

ARC CL: http://ag/9615344

Bug: 1017160
Change-Id: I323a18aca9c9f63e6a3869d9b9dd4dd34432c31c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1876089Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Yury Khmel <khmel@chromium.org>
Commit-Queue: Anastasiia Nikolaienko <anastasiian@chromium.org>
Cr-Commit-Position: refs/heads/master@{#711171}

chrome/browser/chromeos/arc/auth/arc_auth_service.cc

@@ -31,6 +31,7 @@
 #include "chrome/browser/ui/settings_window_manager_chromeos.h"
 #include "chrome/browser/ui/webui/signin/inline_login_handler_dialog_chromeos.h"
 #include "chrome/common/webui_url_constants.h"
+#include "chromeos/constants/chromeos_features.h"
 #include "components/arc/arc_browser_context_keyed_service_factory_base.h"
 #include "components/arc/arc_features.h"
 #include "components/arc/arc_prefs.h"
@@ -283,6 +284,13 @@ void ArcAuthService::OnConnectionReady() {
   if (arc::IsArcProvisioned(profile_)) {
     TriggerAccountManagerMigrationsIfRequired(profile_);
     TriggerAccountsPushToArc(false /* filter_primary_account */);
+    if (chromeos::features::IsEduCoexistenceEnabled() &&
+        GetSupervisionTransition(profile_) ==
+            ArcSupervisionTransition::REGULAR_TO_CHILD) {
+      // If profile transitioned from Child to Regular, accounts have already
+      // been pushed to ARC.
+      RemoveSecondaryAccountsFromArc();
+    }
   }
 
   if (pending_get_arc_accounts_callback_)
@@ -557,6 +565,11 @@ void ArcAuthService::OnRefreshTokenUpdatedForAccount(
   if (!arc::IsArcProvisioned(profile_))
     return;
 
+  // For child device accounts do not allow the propagation of secondary
+  // accounts from Chrome OS Account Manager to ARC.
+  if (profile_->IsChild() && !IsPrimaryGaiaAccount(account_info.gaia))
+    return;
+
   if (identity_manager_->HasAccountWithRefreshTokenInPersistentErrorState(
           account_info.account_id)) {
     VLOG(1) << "Ignoring account update due to lack of a valid token: "
@@ -819,4 +832,13 @@ void ArcAuthService::OnMainAccountResolutionStatus(
   UpdateMainAccountResolutionStatus(profile_, status);
 }
 
+void ArcAuthService::RemoveSecondaryAccountsFromArc() {
+  auto* instance = ARC_GET_INSTANCE_FOR_METHOD(arc_bridge_service_->auth(),
+                                               RemoveSecondaryAccounts);
+  if (!instance)
+    return;
+
+  instance->RemoveSecondaryAccounts();
+}
+
 }  // namespace arc

chrome/browser/chromeos/arc/auth/arc_auth_service.h

@@ -193,6 +193,10 @@ class ArcAuthService : public KeyedService,
   // Response for |mojom::GetMainAccountResolutionStatus|.
   void OnMainAccountResolutionStatus(mojom::MainAccountResolutionStatus status);
 
+  // Removes secondary accounts from ARC. For child device accounts propagation
+  // of secondary accounts from Chrome OS Account Manager to ARC is not allowed.
+  void RemoveSecondaryAccountsFromArc();
+
   // Non-owning pointers.
   Profile* const profile_;
   signin::IdentityManager* const identity_manager_;

components/arc/mojom/auth.mojom

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-// Next MinVersion: 23
+// Next MinVersion: 24
 
 module arc.mojom;
 
@@ -338,7 +338,7 @@ interface AuthHost {
   [MinVersion=20] HandleUpdateCredentialsRequest@17(string account_name);
 };
 
-// Next Method ID: 6
+// Next Method ID: 7
 interface AuthInstance {
   // DEPRECATED: Please use Init@2 instead.
   InitDeprecated@0(AuthHost host_ptr);
@@ -371,4 +371,12 @@ interface AuthInstance {
   // Gets resolution status of main account for statistics reporting.
   [MinVersion=22] GetMainAccountResolutionStatus@5()
       => (MainAccountResolutionStatus status);
+
+  // A notification that all secondary accounts should be removed from ARC.
+  // Equivalent to calling |OnAccountUpdated| with AccountUpdateType::REMOVAL
+  // for each secondary account and in case of inconsistency between Chrome OS
+  // Account Manager and ARC accounts, inconsistent accounts will be also
+  // removed from ARC. Should be called on transition from Regular to Child
+  // account type.
+  [MinVersion=23] RemoveSecondaryAccounts@6();
 };