[Managed Session] Force managed sessions mode when network certificates are...

[Managed Session] Force managed sessions mode when network certificates are set via ONC device policy The same way as force-installed extensions, forced network certificates are considered "risky" should activate "Managed Session" mode (i.e. show warning about admin capabilities on the login page). Bug: 910218 Change-Id: Ic34898ed255f51b48b948b00ae4563bcd7939347 Reviewed-on: https://chromium-review.googlesource.com/c/1391590 Commit-Queue: Zakhar Voit <voit@google.com> Reviewed-by: Jacob Dufault <jdufault@chromium.org> Reviewed-by: Sergey Poromov <poromov@chromium.org> Cr-Commit-Position: refs/heads/master@{#625174}

[Managed Session] Force managed sessions mode when network certificates are...
[Managed Session] Force managed sessions mode when network certificates are set via ONC device policy The same way as force-installed extensions, forced network certificates are considered "risky" should activate "Managed Session" mode (i.e. show warning about admin capabilities on the login page). Bug: 910218 Change-Id: Ic34898ed255f51b48b948b00ae4563bcd7939347 Reviewed-on: https://chromium-review.googlesource.com/c/1391590 Commit-Queue: Zakhar Voit <voit@google.com> Reviewed-by: Jacob Dufault <jdufault@chromium.org> Reviewed-by: Sergey Poromov <poromov@chromium.org> Cr-Commit-Position: refs/heads/master@{#625174}
9b849d6b · Zakhar Voit · Commit Bot · 73b7f67a · 9b849d6b · 9b849d6b
Commit 9b849d6b authored Jan 23, 2019 by Zakhar Voit Committed by Commit Bot Jan 23, 2019
2 changed files
--- a/chrome/browser/chromeos/login/users/chrome_user_manager_impl.cc
+++ b/chrome/browser/chromeos/login/users/chrome_user_manager_impl.cc
@@ -50,6 +50,7 @@
 #include "chrome/browser/chromeos/login/users/multi_profile_user_controller.h"
 #include "chrome/browser/chromeos/login/users/supervised_user_manager_impl.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
+#include "chrome/browser/chromeos/policy/device_network_configuration_updater.h"
 #include "chrome/browser/chromeos/printing/external_printers.h"
 #include "chrome/browser/chromeos/printing/external_printers_factory.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
@@ -263,6 +264,14 @@ bool AreRiskyExtensionsForceInstalled(
  return false;
 }

+bool AreForcedNetworkCertificatesInstalled() {
+  return !g_browser_process->platform_part()
+              ->browser_policy_connector_chromeos()
+              ->GetDeviceNetworkConfigurationUpdater()
+              ->GetAllAuthorityCertificates()
+              .empty();
+}
+
 }  // namespace

 // static
@@ -1470,11 +1479,9 @@ bool ChromeUserManagerImpl::IsManagedSessionEnabledForUser(

 bool ChromeUserManagerImpl::IsFullManagementDisclosureNeeded(
    policy::DeviceLocalAccountPolicyBroker* broker) const {
-  if (!IsManagedSessionEnabled(broker))
-    return false;
-  if (!AreRiskyExtensionsForceInstalled(broker))
-    return false;
-  return true;
+  return IsManagedSessionEnabled(broker) &&
+         (AreRiskyExtensionsForceInstalled(broker) ||
+          AreForcedNetworkCertificatesInstalled());
 }

 void ChromeUserManagerImpl::AddReportingUser(const AccountId& account_id) {

--- a/chrome/browser/chromeos/policy/device_local_account_browsertest.cc
+++ b/chrome/browser/chromeos/policy/device_local_account_browsertest.cc
@@ -59,6 +59,7 @@
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/policy/cloud_external_data_manager_base_test_util.h"
 #include "chrome/browser/chromeos/policy/device_local_account_policy_service.h"
+#include "chrome/browser/chromeos/policy/device_network_configuration_updater.h"
 #include "chrome/browser/chromeos/policy/device_policy_builder.h"
 #include "chrome/browser/chromeos/policy/device_policy_cros_browser_test.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
@@ -95,6 +96,7 @@
 #include "chromeos/dbus/fake_session_manager_client.h"
 #include "chromeos/login/auth/mock_auth_status_consumer.h"
 #include "chromeos/login/auth/user_context.h"
+#include "chromeos/network/policy_certificate_provider.h"
 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
 #include "components/policy/core/common/cloud/cloud_policy_core.h"
 #include "components/policy/core/common/cloud/cloud_policy_store.h"
@@ -219,6 +221,28 @@ const char* const kInvalidRecommendedLocale[] = {
 const char kPublicSessionLocale[] = "de";
 const char kPublicSessionInputMethodIDTemplate[] = "_comp_ime_%sxkb:de:neo:ger";

+const char kFakeOncWithCertificate[] =
+    "{\"Certificates\":["
+    "{\"Type\":\"Authority\","
+    "\"TrustBits\":[\"Web\"],"
+    "\"X509\":\"-----BEGIN CERTIFICATE-----\n"
+    "MIICVTCCAb6gAwIBAgIJAK8kOY/OQDsKMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNV\n"
+    "BAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn\n"
+    "aXRzIFB0eSBMdGQwHhcNMTgxMjI3MTIyNjI0WhcNMTkxMjI3MTIyNjI0WjBCMQsw\n"
+    "CQYDVQQGEwJERTEQMA4GA1UECAwHQmF2YXJpYTEhMB8GA1UECgwYSW50ZXJuZXQg\n"
+    "V2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbFncT\n"
+    "Q8slhRgLg7sK9DhkYZaNiD1jVbdGvuXahex3uQl+2bACyQ7Peq/MkpFLy4M75nj3\n"
+    "WrydAycw1KCDPENPz2jmdHwGl5+6P7bob0Rqe+4i/9XwGdl8EPH5GFZbaz8aSYiL\n"
+    "/aaVvOm+8IYrhbp44s3cOLriPaQDbWtZMZKCiwIDAQABo1MwUTAdBgNVHQ4EFgQU\n"
+    "26bvyiqj3uQynNcZru72m3Uv3eswHwYDVR0jBBgwFoAU26bvyiqj3uQynNcZru72\n"
+    "m3Uv3eswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQCHKz8NJg6f\n"
+    "qwkFmG+tOsfyn3JHj3NfkMGJugSV6Yf7LYJXHpc4kWmfGuseTtHt57PG/BzCjLs1\n"
+    "qTF8svVecDj5Qku/SbGQCf2Vg/tLnq8XidbMmp26nUXrLzNQnTm0MJYEk6PJRiod\n"
+    "BIrpuq5z+9r//9f27iXidR94qFbbvServw==\n"
+    "-----END CERTIFICATE-----\","
+    "\"GUID\":\"{00f79111-51e0-e6e0-76b3b55450d80a1b}\"}"
+    "]}";
+
 bool IsLogoutConfirmationDialogShowing() {
  // Wait for any browser window close mojo messages to propagate to ash.
  aura::test::WaitForAllChangesToComplete();
@@ -2343,6 +2367,21 @@ IN_PROC_BROWSER_TEST_F(DeviceLocalAccountTest, PolicyForExtensions) {

 class ManagedSessionsTest : public DeviceLocalAccountTest {
 protected:
+  class CertsObserver : public chromeos::PolicyCertificateProvider::Observer {
+   public:
+    explicit CertsObserver(base::OnceClosure on_change)
+        : on_change_(std::move(on_change)) {}
+
+    void OnPolicyProvidedCertsChanged(
+        const net::CertificateList& all_server_and_authority_certs,
+        const net::CertificateList& trust_anchors) override {
+      std::move(on_change_).Run();
+    }
+
+   private:
+    base::OnceClosure on_change_;
+  };
+
  void StartTestExtensionsServer() {
    ASSERT_TRUE(embedded_test_server()->InitializeAndListen());
    scoped_refptr<TestingUpdateManifestProvider>
@@ -2380,6 +2419,26 @@ class ManagedSessionsTest : public DeviceLocalAccountTest {
  void AddForceInstalledWhitelistedExtension() {
    AddExtension(kPublicSessionWhitelistedExtensionID);
  }
+
+  void WaitForCertificateUpdate() {
+    policy::DeviceNetworkConfigurationUpdater* updater =
+        g_browser_process->platform_part()
+            ->browser_policy_connector_chromeos()
+            ->GetDeviceNetworkConfigurationUpdater();
+    base::RunLoop run_loop;
+    auto observer = std::make_unique<CertsObserver>(run_loop.QuitClosure());
+    updater->AddPolicyProvidedCertsObserver(observer.get());
+    run_loop.Run();
+    updater->RemovePolicyProvidedCertsObserver(observer.get());
+  }
+
+  void AddNetworkCertificateToDevicePolicy() {
+    em::ChromeDeviceSettingsProto& proto(device_policy()->payload());
+    proto.mutable_open_network_configuration()->set_open_network_configuration(
+        kFakeOncWithCertificate);
+    RefreshDevicePolicy();
+    WaitForCertificateUpdate();
+  }
 };

 IN_PROC_BROWSER_TEST_F(ManagedSessionsTest, ManagedSessionsDisabled) {
@@ -2469,6 +2528,35 @@ IN_PROC_BROWSER_TEST_F(ManagedSessionsTest, WhitelistedExtension) {
          broker));
 }

+IN_PROC_BROWSER_TEST_F(ManagedSessionsTest, NetworkCertificate) {
+  SetManagedSessionsEnabled(/* managed_sessions_enabled */ true);
+
+  // Install and refresh the device policy now. This will also fetch the initial
+  // user policy for the device-local account now.
+  UploadAndInstallDeviceLocalAccountPolicy();
+  AddPublicSessionToDevicePolicy(kAccountId1);
+  AddNetworkCertificateToDevicePolicy();
+  WaitForPolicy();
+
+  const user_manager::User* user =
+      user_manager::UserManager::Get()->FindUser(account_id_1_);
+  ASSERT_TRUE(user);
+  auto* broker = GetDeviceLocalAccountPolicyBroker();
+  ASSERT_TRUE(broker);
+
+  // Check that 'DeviceLocalAccountManagedSessionEnabled' policy was applied
+  // correctly.
+  EXPECT_TRUE(
+      chromeos::ChromeUserManager::Get()->IsManagedSessionEnabledForUser(
+          *user));
+
+  // Check that network certificate pushed via policy activates managed sessions
+  // mode.
+  EXPECT_TRUE(
+      chromeos::ChromeUserManager::Get()->IsFullManagementDisclosureNeeded(
+          broker));
+}
+
 class TermsOfServiceDownloadTest : public DeviceLocalAccountTest,
                                   public testing::WithParamInterface<bool> {
 };