Disable credential configuration on ARC++

If the admin installed a certificate that gets piped through to the Android side, the user should not be able to remove the cert in Android settings. Therefore, we set the configCredentialsDisallowed policy in clouddpc, that gets mapped to the DISALLOW_CONFIG_CREDENTIALS user restriction. Bug: b/67891423 Test: $OUT-DIR/unit_tests --gtest_filter=ArcPolicyBridgeTest.CaCertificateTest Change-Id: I7f3f349225c88c0eb4561e71bf235a081c153b16 Reviewed-on: https://chromium-review.googlesource.com/881443 Commit-Queue: Philipp Weiß <phweiss@chromium.org> Reviewed-by: Bartosz Fabianowski <bartfab@chromium.org> Reviewed-by: Luis Hector Chavez <lhchavez@chromium.org> Cr-Commit-Position: refs/heads/master@{#533706}

Disable credential configuration on ARC++
If the admin installed a certificate that gets piped through to the Android side, the user should not be able to remove the cert in Android settings. Therefore, we set the configCredentialsDisallowed policy in clouddpc, that gets mapped to the DISALLOW_CONFIG_CREDENTIALS user restriction. Bug: b/67891423 Test: $OUT-DIR/unit_tests --gtest_filter=ArcPolicyBridgeTest.CaCertificateTest Change-Id: I7f3f349225c88c0eb4561e71bf235a081c153b16 Reviewed-on: https://chromium-review.googlesource.com/881443 Commit-Queue: Philipp Weiß <phweiss@chromium.org> Reviewed-by: Bartosz Fabianowski <bartfab@chromium.org> Reviewed-by: Luis Hector Chavez <lhchavez@chromium.org> Cr-Commit-Position: refs/heads/master@{#533706}
9c15bed4 · phweiss · Commit Bot · 7538a95b · 9c15bed4 · 9c15bed4
Commit 9c15bed4 authored Feb 01, 2018 by phweiss Committed by Commit Bot Feb 01, 2018
2 changed files
--- a/chrome/browser/chromeos/arc/policy/arc_policy_bridge.cc
+++ b/chrome/browser/chromeos/arc/policy/arc_policy_bridge.cc
@@ -193,6 +193,8 @@ void AddOncCaCertsToPolicies(const policy::PolicyMap& policy_map,
    data.SetString("X509", x509_data);
    ca_certs->Append(data.CreateDeepCopy());
  }
+  if (!ca_certs->GetList().empty())
+    filtered_policies->SetKey("credentialsConfigDisabled", base::Value(true));
  filtered_policies->Set(kArcCaCerts, std::move(ca_certs));
 }


--- a/chrome/browser/chromeos/arc/policy/arc_policy_bridge_unittest.cc
+++ b/chrome/browser/chromeos/arc/policy/arc_policy_bridge_unittest.cc
@@ -126,6 +126,9 @@ class ArcPolicyBridgeTestBase {
        .WillRepeatedly(ReturnRef(policy_map_));
    EXPECT_CALL(policy_service_, AddObserver(policy::POLICY_DOMAIN_CHROME, _))
        .Times(1);
+    EXPECT_CALL(policy_service_,
+                RemoveObserver(policy::POLICY_DOMAIN_CHROME, _))
+        .Times(1);

    // Setting up user profile for ReportCompliance() tests.
    chromeos::FakeChromeUserManager* const fake_user_manager =
@@ -345,7 +348,8 @@ TEST_F(ArcPolicyBridgeTest, CaCertificateTest) {
      "saWdodCBpbiB0aGUgY29udGludWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Y"
      "ga25vd2xlZGdlLCBleGNlZWRzIHRoZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCB"
      "wbGVhc3VyZS4=\"}"
-      "]}"));
+      "],"
+      "\"credentialsConfigDisabled\":true}"));

  // Disable CA certificates sync.
  policy_map().Set(