Move DM token reading code to ConnectorsService

This prepares future changes to read the user DM token by moving the DM token reading code to ConnectorsService. This also moves and adds the incognito mode check to ConnectorsService instead of having it in random code locations. Bug: 1148789, 1149425 Change-Id: I70779d2af97735ed76271a2d0cadf7b9956411f4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2537933Reviewed-by: Daniel Rubery <drubery@chromium.org> Commit-Queue: Dominique Fauteux-Chapleau <domfc@chromium.org> Cr-Commit-Position: refs/heads/master@{#836121}

Move DM token reading code to ConnectorsService
This prepares future changes to read the user DM token by moving the DM token reading code to ConnectorsService. This also moves and adds the incognito mode check to ConnectorsService instead of having it in random code locations. Bug: 1148789, 1149425 Change-Id: I70779d2af97735ed76271a2d0cadf7b9956411f4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2537933Reviewed-by: Daniel Rubery <drubery@chromium.org> Commit-Queue: Dominique Fauteux-Chapleau <domfc@chromium.org> Cr-Commit-Position: refs/heads/master@{#836121}
952e1441 · Dominique Fauteux-Chapleau · Chromium LUCI CQ · eab62498 · 952e1441 · 952e1441
Commit 952e1441 authored Dec 11, 2020 by Dominique Fauteux-Chapleau Committed by Chromium LUCI CQ Dec 11, 2020
10 changed files
--- a/chrome/browser/enterprise/connectors/common.cc
+++ b/chrome/browser/enterprise/connectors/common.cc
@@ -15,7 +15,8 @@ AnalysisSettings& AnalysisSettings::operator=(AnalysisSettings&&) = default;
 AnalysisSettings::~AnalysisSettings() = default;

 ReportingSettings::ReportingSettings() = default;
-ReportingSettings::ReportingSettings(GURL url) : reporting_url(url) {}
+ReportingSettings::ReportingSettings(GURL url, const std::string& dm_token)
+    : reporting_url(url), dm_token(dm_token) {}
 ReportingSettings::ReportingSettings(ReportingSettings&&) = default;
 ReportingSettings& ReportingSettings::operator=(ReportingSettings&&) = default;
 ReportingSettings::~ReportingSettings() = default;

--- a/chrome/browser/enterprise/connectors/common.h
+++ b/chrome/browser/enterprise/connectors/common.h
@@ -58,16 +58,21 @@ struct AnalysisSettings {

  // Minimum text size for BulkDataEntry scans. 0 means no minimum.
  size_t minimum_data_size = 100;
+
+  // The DM token to be used for scanning. May be empty, for example if this
+  // scan is initiated by APP.
+  std::string dm_token = "";
 };

 struct ReportingSettings {
  ReportingSettings();
-  explicit ReportingSettings(GURL url);
+  explicit ReportingSettings(GURL url, const std::string& dm_token);
  ReportingSettings(ReportingSettings&&);
  ReportingSettings& operator=(ReportingSettings&&);
  ~ReportingSettings();

  GURL reporting_url;
+  std::string dm_token;
 };

 // Returns the pref path corresponding to a connector.

--- a/chrome/browser/enterprise/connectors/connectors_service.cc
+++ b/chrome/browser/enterprise/connectors/connectors_service.cc
@@ -9,7 +9,12 @@
 #include "base/no_destructor.h"
 #include "chrome/browser/enterprise/connectors/connectors_manager.h"
 #include "chrome/browser/enterprise/connectors/service_provider_config.h"
+#include "chrome/browser/policy/dm_token_utils.h"
+#include "chrome/browser/profiles/profile.h"
+#include "components/enterprise/common/proto/connectors.pb.h"
 #include "components/keyed_service/content/browser_context_dependency_manager.h"
+#include "components/policy/core/common/cloud/dm_token.h"
+#include "components/policy/core/common/policy_types.h"
 #include "components/user_prefs/user_prefs.h"
 #include "content/public/browser/browser_context.h"

@@ -98,8 +103,10 @@ ServiceProviderConfig* GetServiceProviderConfig() {
 // ConnectorsService implementation
 // --------------------------------

-ConnectorsService::ConnectorsService(std::unique_ptr<ConnectorsManager> manager)
-    : connectors_manager_(std::move(manager)) {
+ConnectorsService::ConnectorsService(content::BrowserContext* context,
+                                     std::unique_ptr<ConnectorsManager> manager)
+    : context_(context), connectors_manager_(std::move(manager)) {
+  DCHECK(context_);
  DCHECK(connectors_manager_);
 }

@@ -107,37 +114,57 @@ ConnectorsService::~ConnectorsService() = default;

 base::Optional<ReportingSettings> ConnectorsService::GetReportingSettings(
    ReportingConnector connector) {
-  if (!base::FeatureList::IsEnabled(kEnterpriseConnectorsEnabled))
+  if (!ConnectorsEnabled())
+    return base::nullopt;
+
+  base::Optional<DmToken> dm_token = GetDmToken(ConnectorPref(connector));
+  if (!dm_token.has_value())
    return base::nullopt;

-  return connectors_manager_->GetReportingSettings(connector);
+  base::Optional<ReportingSettings> settings =
+      connectors_manager_->GetReportingSettings(connector);
+  if (settings.has_value()) {
+    settings.value().dm_token = dm_token.value().value;
+  }
+
+  return settings;
 }

 base::Optional<AnalysisSettings> ConnectorsService::GetAnalysisSettings(
    const GURL& url,
    AnalysisConnector connector) {
-  if (!base::FeatureList::IsEnabled(kEnterpriseConnectorsEnabled))
+  if (!ConnectorsEnabled())
+    return base::nullopt;
+
+  base::Optional<DmToken> dm_token = GetDmToken(ConnectorPref(connector));
+  if (!dm_token.has_value())
    return base::nullopt;

-  return connectors_manager_->GetAnalysisSettings(url, connector);
+  base::Optional<AnalysisSettings> settings =
+      connectors_manager_->GetAnalysisSettings(url, connector);
+  if (settings.has_value()) {
+    settings.value().dm_token = dm_token.value().value;
+  }
+
+  return settings;
 }

 bool ConnectorsService::IsConnectorEnabled(AnalysisConnector connector) const {
-  if (!base::FeatureList::IsEnabled(kEnterpriseConnectorsEnabled))
+  if (!ConnectorsEnabled())
    return false;

  return connectors_manager_->IsConnectorEnabled(connector);
 }

 bool ConnectorsService::IsConnectorEnabled(ReportingConnector connector) const {
-  if (!base::FeatureList::IsEnabled(kEnterpriseConnectorsEnabled))
+  if (!ConnectorsEnabled())
    return false;

  return connectors_manager_->IsConnectorEnabled(connector);
 }

 bool ConnectorsService::DelayUntilVerdict(AnalysisConnector connector) {
-  if (!base::FeatureList::IsEnabled(kEnterpriseConnectorsEnabled))
+  if (!ConnectorsEnabled())
    return false;

  return connectors_manager_->DelayUntilVerdict(connector);
@@ -147,6 +174,35 @@ ConnectorsManager* ConnectorsService::ConnectorsManagerForTesting() {
  return connectors_manager_.get();
 }

+ConnectorsService::DmToken::DmToken(const std::string& value,
+                                    policy::PolicyScope scope)
+    : value(value), scope(scope) {}
+ConnectorsService::DmToken::DmToken(DmToken&&) = default;
+ConnectorsService::DmToken& ConnectorsService::DmToken::operator=(DmToken&&) =
+    default;
+ConnectorsService::DmToken::~DmToken() = default;
+
+base::Optional<ConnectorsService::DmToken> ConnectorsService::GetDmToken(
+    const char* pref) {
+  // TODO(crbug.com/1148789): Add code to check the scope of |pref| and handle
+  // the "user" case.
+
+  policy::DMToken dm_token =
+      policy::GetDMToken(Profile::FromBrowserContext(context_));
+
+  if (!dm_token.is_valid())
+    return base::nullopt;
+
+  return DmToken(dm_token.value(), policy::POLICY_SCOPE_MACHINE);
+}
+
+bool ConnectorsService::ConnectorsEnabled() const {
+  if (!base::FeatureList::IsEnabled(kEnterpriseConnectorsEnabled))
+    return false;
+
+  return !Profile::FromBrowserContext(context_)->IsOffTheRecord();
+}
+
 // ---------------------------------------
 // ConnectorsServiceFactory implementation
 // ---------------------------------------
@@ -171,9 +227,11 @@ ConnectorsServiceFactory::~ConnectorsServiceFactory() = default;

 KeyedService* ConnectorsServiceFactory::BuildServiceInstanceFor(
    content::BrowserContext* context) const {
-  return new ConnectorsService(std::make_unique<ConnectorsManager>(
-      user_prefs::UserPrefs::Get(context), GetServiceProviderConfig(),
-      base::FeatureList::IsEnabled(kEnterpriseConnectorsEnabled)));
+  return new ConnectorsService(
+      context,
+      std::make_unique<ConnectorsManager>(
+          user_prefs::UserPrefs::Get(context), GetServiceProviderConfig(),
+          base::FeatureList::IsEnabled(kEnterpriseConnectorsEnabled)));
 }

 content::BrowserContext* ConnectorsServiceFactory::GetBrowserContextToUse(

--- a/chrome/browser/enterprise/connectors/connectors_service.h
+++ b/chrome/browser/enterprise/connectors/connectors_service.h
@@ -11,6 +11,7 @@
 #include "chrome/browser/enterprise/connectors/connectors_manager.h"
 #include "components/keyed_service/content/browser_context_keyed_service_factory.h"
 #include "components/keyed_service/core/keyed_service.h"
+#include "components/policy/core/common/policy_types.h"
 #include "content/public/browser/browser_context.h"

 namespace base {
@@ -36,7 +37,8 @@ ServiceProviderConfig* GetServiceProviderConfig();
 // A keyed service to access ConnectorsManager, which tracks Connector policies.
 class ConnectorsService : public KeyedService {
 public:
-  explicit ConnectorsService(std::unique_ptr<ConnectorsManager> manager);
+  ConnectorsService(content::BrowserContext* context,
+                    std::unique_ptr<ConnectorsManager> manager);
  ~ConnectorsService() override;

  // Accessors that check kEnterpriseConnectorsEnabled is enabled, and then call
@@ -56,6 +58,24 @@ class ConnectorsService : public KeyedService {
  ConnectorsManager* ConnectorsManagerForTesting();

 private:
+  struct DmToken {
+    DmToken(const std::string& value, policy::PolicyScope scope);
+    DmToken(DmToken&&);
+    DmToken& operator=(DmToken&&);
+    ~DmToken();
+
+    // The value of the token to use.
+    std::string value;
+
+    // The scope of the token. This is determined by the scope of the Connector
+    // policy used to get a DM token.
+    policy::PolicyScope scope;
+  };
+  base::Optional<DmToken> GetDmToken(const char* pref);
+
+  bool ConnectorsEnabled() const;
+
+  content::BrowserContext* context_;
  std::unique_ptr<ConnectorsManager> connectors_manager_;
 };


--- a/chrome/browser/enterprise/connectors/connectors_service_unittest.cc
+++ b/chrome/browser/enterprise/connectors/connectors_service_unittest.cc
@@ -7,6 +7,7 @@
 #include "base/json/json_reader.h"
 #include "base/test/scoped_feature_list.h"
 #include "chrome/browser/enterprise/connectors/common.h"
+#include "chrome/browser/policy/dm_token_utils.h"
 #include "chrome/test/base/testing_browser_process.h"
 #include "chrome/test/base/testing_profile_manager.h"
 #include "components/enterprise/common/proto/connectors.pb.h"
@@ -56,6 +57,8 @@ class ConnectorsServiceTest : public testing::Test {
      : profile_manager_(TestingBrowserProcess::GetGlobal()) {
    EXPECT_TRUE(profile_manager_.SetUp());
    profile_ = profile_manager_.CreateTestingProfile("test-user");
+    policy::SetDMTokenForTesting(
+        policy::DMToken::CreateValidTokenForTesting("fake-token"));
  }

 protected:

--- a/chrome/browser/enterprise/connectors/content_analysis_delegate.cc
+++ b/chrome/browser/enterprise/connectors/content_analysis_delegate.cc
@@ -264,14 +264,6 @@ bool ContentAnalysisDelegate::IsEnabled(
    GURL url,
    Data* data,
    enterprise_connectors::AnalysisConnector connector) {
-  // If this is an incognitio profile, don't perform scans.
-  if (profile->IsOffTheRecord())
-    return false;
-
-  // If there's no valid DM token, the upload will fail.
-  if (!policy::GetDMToken(profile).is_valid())
-    return false;
-
  auto* service =
      enterprise_connectors::ConnectorsServiceFactory::GetForBrowserContext(
          profile);
@@ -540,7 +532,7 @@ void ContentAnalysisDelegate::PrepareRequest(
  Profile* profile =
      Profile::FromBrowserContext(web_contents_->GetBrowserContext());

-  request->set_device_token(policy::GetDMToken(profile).value());
+  request->set_device_token(data_.settings.dm_token);
  request->set_analysis_connector(connector);
  request->set_email(safe_browsing::GetProfileEmail(profile));
  request->set_url(data_.url.spec());

--- a/chrome/browser/enterprise/connectors/content_analysis_delegate_unittest.cc
+++ b/chrome/browser/enterprise/connectors/content_analysis_delegate_unittest.cc
@@ -1613,6 +1613,9 @@ class ContentAnalysisDelegateSettingsTest
  void SetUp() override {
    BaseTest::SetUp();
    EnableFeatures();
+
+    // Settings can't be returned if no DM token exists.
+    SetDMTokenForTesting(policy::DMToken::CreateValidTokenForTesting(kDmToken));
  }

  bool allowed() const { return !GetParam(); }

--- a/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router.cc
+++ b/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router.cc
@@ -846,12 +846,15 @@ void SafeBrowsingPrivateEventRouter::InitRealtimeReportingClient() {
  //
  // Therefore, it is OK to retrieve the dm token once here on initialization
  // of the router to determine if real-time reporting can be enabled or not.
-  policy::DMToken dm_token =
-      policy::BrowserDMTokenStorage::Get()->RetrieveDMToken();
+  auto settings =
+      enterprise_connectors::ConnectorsServiceFactory::GetForBrowserContext(
+          context_)
+          ->GetReportingSettings(
+              enterprise_connectors::ReportingConnector::SECURITY_EVENT);
  std::string client_id =
      policy::BrowserDMTokenStorage::Get()->RetrieveClientId();

-  if (!dm_token.is_valid())
+  if (!settings.has_value() || settings.value().dm_token.empty())
    return;

  // Make sure DeviceManagementService has been initialized.
@@ -869,7 +872,7 @@ void SafeBrowsingPrivateEventRouter::InitRealtimeReportingClient() {

  if (!client->is_registered()) {
    client->SetupRegistration(
-        dm_token.value(), client_id,
+        settings.value().dm_token, client_id,
        /*user_affiliation_ids=*/std::vector<std::string>());
  }
 #endif

--- a/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router_unittest.cc
+++ b/chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router_unittest.cc
@@ -20,6 +20,7 @@
 #include "chrome/browser/enterprise/connectors/connectors_prefs.h"
 #include "chrome/browser/enterprise/connectors/connectors_service.h"
 #include "chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router_factory.h"
+#include "chrome/browser/policy/dm_token_utils.h"
 #include "chrome/browser/safe_browsing/cloud_content_scanning/deep_scanning_test_utils.h"
 #include "chrome/browser/safe_browsing/cloud_content_scanning/deep_scanning_utils.h"
 #include "chrome/common/chrome_switches.h"
@@ -145,6 +146,8 @@ class SafeBrowsingPrivateEventRouterTest : public testing::Test {
      : profile_manager_(TestingBrowserProcess::GetGlobal()) {
    EXPECT_TRUE(profile_manager_.SetUp());
    profile_ = profile_manager_.CreateTestingProfile("test-user");
+    policy::SetDMTokenForTesting(
+        policy::DMToken::CreateValidTokenForTesting("fake-token"));
  }

  ~SafeBrowsingPrivateEventRouterTest() override = default;

--- a/chrome/browser/safe_browsing/download_protection/deep_scanning_request.cc
+++ b/chrome/browser/safe_browsing/download_protection/deep_scanning_request.cc
@@ -241,7 +241,7 @@ void DeepScanningRequest::Start() {
 void DeepScanningRequest::PrepareRequest(BinaryUploadService::Request* request,
                                         Profile* profile) {
  if (trigger_ == DeepScanTrigger::TRIGGER_POLICY)
-    request->set_device_token(policy::GetDMToken(profile).value());
+    request->set_device_token(analysis_settings_.dm_token);

  request->set_analysis_connector(enterprise_connectors::FILE_DOWNLOADED);
  request->set_email(GetProfileEmail(profile));