cros: Check policy if fingerprint should be allowed for the user.

Note that the default policy value used to be only "PIN", so fingerprint may
be disabled for users until their prefs are reset to default values (for
example, they can remove and re-add their account).

To avoid this issue in the future, the default policy value is changed to "ALL".

Bug: 884266
Change-Id: I8809a2fcd571149df60cd2ef2013ac6d73971397
Reviewed-on: https://chromium-review.googlesource.com/c/1271586
Commit-Queue: Jacob Dufault <jdufault@chromium.org>
Reviewed-by: Sergey Poromov <poromov@chromium.org>
Reviewed-by: Sammie Quon <sammiequon@chromium.org>
Cr-Commit-Position: refs/heads/master@{#598907}

chrome/browser/chromeos/login/quick_unlock/quick_unlock_utils.cc

@@ -8,6 +8,8 @@
 #include "base/time/time.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
+#include "chrome/browser/chromeos/profiles/profile_helper.h"
+#include "chrome/browser/profiles/profile_manager.h"
 #include "chrome/common/chrome_features.h"
 #include "chrome/common/pref_names.h"
 #include "components/prefs/pref_registry_simple.h"
@@ -25,8 +27,25 @@ bool disable_pin_by_policy_for_testing_ = false;
 // Options for the quick unlock whitelist.
 const char kQuickUnlockWhitelistOptionAll[] = "all";
 const char kQuickUnlockWhitelistOptionPin[] = "PIN";
+const char kQuickUnlockWhitelistOptionFingerprint[] = "FINGERPRINT";
+
 // Default minimum PIN length. Policy can increase or decrease this value.
 constexpr int kDefaultMinimumPinLength = 6;
+
+bool HasPolicyValue(const PrefService* pref_service, const char* value) {
+  const base::ListValue* quick_unlock_whitelist =
+      pref_service->GetList(prefs::kQuickUnlockModeWhitelist);
+  return quick_unlock_whitelist->Find(base::Value(value)) !=
+         quick_unlock_whitelist->end();
+}
+
+bool IsFingerprintDisabledByPolicy(const PrefService* pref_service) {
+  const bool enabled =
+      HasPolicyValue(pref_service, kQuickUnlockWhitelistOptionAll) ||
+      HasPolicyValue(pref_service, kQuickUnlockWhitelistOptionFingerprint);
+  return !enabled;
+}
+
 }  // namespace
 
 base::TimeDelta PasswordConfirmationFrequencyToTimeDelta(
@@ -47,7 +66,7 @@ base::TimeDelta PasswordConfirmationFrequencyToTimeDelta(
 
 void RegisterProfilePrefs(PrefRegistrySimple* registry) {
   base::ListValue quick_unlock_whitelist_default;
-  quick_unlock_whitelist_default.AppendString(kQuickUnlockWhitelistOptionPin);
+  quick_unlock_whitelist_default.AppendString(kQuickUnlockWhitelistOptionAll);
   registry->RegisterListPref(prefs::kQuickUnlockModeWhitelist,
                              quick_unlock_whitelist_default.CreateDeepCopy());
   registry->RegisterIntegerPref(
@@ -69,18 +88,10 @@ bool IsPinDisabledByPolicy(PrefService* pref_service) {
   if (enable_for_testing_)
     return false;
 
-  const base::ListValue* quick_unlock_whitelist =
-      pref_service->GetList(prefs::kQuickUnlockModeWhitelist);
-  base::Value all_value(kQuickUnlockWhitelistOptionAll);
-  base::Value pin_value(kQuickUnlockWhitelistOptionPin);
-  if (quick_unlock_whitelist->Find(all_value) ==
-          quick_unlock_whitelist->end() &&
-      quick_unlock_whitelist->Find(pin_value) ==
-          quick_unlock_whitelist->end()) {
-    return true;
-  }
-
-  return false;
+  const bool enabled =
+      HasPolicyValue(pref_service, kQuickUnlockWhitelistOptionAll) ||
+      HasPolicyValue(pref_service, kQuickUnlockWhitelistOptionPin);
+  return !enabled;
 }
 
 bool IsPinEnabled(PrefService* pref_service) {
@@ -106,6 +117,11 @@ bool IsFingerprintEnabled() {
   if (user_manager->GetActiveUser() != user_manager->GetPrimaryUser())
     return false;
 
+  // Disable fingerprint if forbidden by policy.
+  const Profile* profile = ProfileManager::GetPrimaryUserProfile();
+  if (IsFingerprintDisabledByPolicy(profile->GetPrefs()))
+    return false;
+
   // Enable fingerprint unlock only if the switch is present.
   return base::FeatureList::IsEnabled(features::kQuickUnlockFingerprint);
 }

chrome/browser/chromeos/login/quick_unlock/quick_unlock_utils.h

@@ -38,7 +38,7 @@ bool IsPinDisabledByPolicy(PrefService* pref_service);
 // Returns true if the quick unlock feature flag is present.
 bool IsPinEnabled(PrefService* pref_service);
 
-// Returns true if the fingerprint unlock feature flag is present.
+// Returns true if the fingerprint is allowed for the current active user.
 bool IsFingerprintEnabled();
 
 // Forcibly enable all quick-unlock modes for testing.

components/policy/resources/policy_templates.json

@@ -11073,7 +11073,8 @@
           'type': 'string',
           'enum': [
             'all',
-            'PIN'
+            'PIN',
+            'FINGERPRINT',
           ],
         },
         'id': 'QuickUnlockModeWhitelist',
@@ -11090,9 +11091,9 @@
       'tags': [],
       'desc': '''A whitelist controlling which quick unlock modes the user can configure and use to unlock the lock screen.
 
-          This value is a list of strings; valid list entries are: "all", "PIN". Adding "all" to the list means that every quick unlock mode is available to the user, including ones implemented in the future. Otherwise, only the quick unlock modes present in the list will be available.
+          This value is a list of strings; valid list entries are: "all", "PIN", "FINGERPRINT". Adding "all" to the list means that every quick unlock mode is available to the user, including ones implemented in the future. Otherwise, only the quick unlock modes present in the list will be available.
 
-          For example, to allow every quick unlock mode, use ["all"]. To allow only PIN unlock, use ["PIN"]. To disable all quick unlock modes, use [].
+          For example, to allow every quick unlock mode, use ["all"]. To allow only PIN unlock, use ["PIN"]. To allow PIN and fingerprint, use ["PIN", "FINGERPRINT"]. To disable all quick unlock modes, use [].
 
           By default, no quick unlock modes are available for managed devices.''',
     },