[Kiosk] Allow platform apps in web kiosk mode

We need some of these apps like Files app, and possibly in future the
settings app.

Bug: 1047211
Change-Id: I270e9bc86d849f76470e4befb49b2968fc87e3e0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2031027
Commit-Queue: Anatoliy Potapchuk <apotapchuk@chromium.org>
Reviewed-by: Sergey Poromov <poromov@chromium.org>
Cr-Commit-Position: refs/heads/master@{#737360}

chrome/browser/chromeos/extensions/device_local_account_management_policy_provider.cc

@@ -858,18 +858,15 @@ bool DeviceLocalAccountManagementPolicyProvider::UserMayLoad(
         && IsSafeForPublicSession(extension)) {
       return true;
     }
-  } else if (account_type_ == policy::DeviceLocalAccount::TYPE_KIOSK_APP) {
-    // For single-app kiosk sessions, allow platform apps, extesions and shared
+  } else if (account_type_ == policy::DeviceLocalAccount::TYPE_KIOSK_APP ||
+             account_type_ == policy::DeviceLocalAccount::TYPE_WEB_KIOSK_APP) {
+    // For single-app kiosk sessions, allow platform apps, extensions and shared
     // modules.
     if (extension->GetType() == extensions::Manifest::TYPE_PLATFORM_APP ||
         extension->GetType() == extensions::Manifest::TYPE_SHARED_MODULE ||
         extension->GetType() == extensions::Manifest::TYPE_EXTENSION) {
       return true;
     }
-  } else if (account_type_ == policy::DeviceLocalAccount::TYPE_WEB_KIOSK_APP) {
-    if (extension->GetType() == extensions::Manifest::TYPE_EXTENSION) {
-      return true;
-    }
   }
 
   // Disallow all other extensions.

chrome/browser/chromeos/extensions/device_local_account_management_policy_provider_unittest.cc

@@ -589,50 +589,56 @@ TEST(DeviceLocalAccountManagementPolicyProviderTest, PublicSession) {
   }
 }
 
-TEST(DeviceLocalAccountManagementPolicyProviderTest, KioskAppSession) {
-  DeviceLocalAccountManagementPolicyProvider
-      provider(policy::DeviceLocalAccount::TYPE_KIOSK_APP);
-
-  // Verify that a platform app can be installed.
-  scoped_refptr<const extensions::Extension> extension = CreatePlatformApp();
-  ASSERT_TRUE(extension.get());
-  base::string16 error;
-  EXPECT_TRUE(provider.UserMayLoad(extension.get(), &error));
-  EXPECT_EQ(base::string16(), error);
-  error.clear();
+TEST(DeviceLocalAccountManagementPolicyProviderTest, KioskAppSessions) {
+  std::vector<policy::DeviceLocalAccount::Type> types = {
+      policy::DeviceLocalAccount::TYPE_KIOSK_APP,
+      policy::DeviceLocalAccount::TYPE_WEB_KIOSK_APP};
+
+  for (auto type : types) {
+    LOG(INFO) << "Testing device local account type = "<< static_cast<int>(type);
+    DeviceLocalAccountManagementPolicyProvider provider(type);
+
+    // Verify that a platform app can be installed.
+    scoped_refptr<const extensions::Extension> extension = CreatePlatformApp();
+    ASSERT_TRUE(extension.get());
+    base::string16 error;
+    EXPECT_TRUE(provider.UserMayLoad(extension.get(), &error));
+    EXPECT_EQ(base::string16(), error);
+    error.clear();
 
-  // Verify that an extension whose location has been whitelisted for use in
-  // other types of device-local accounts cannot be installed in a single-app
-  // kiosk session.
-  extension = CreateExternalComponentExtension();
-  ASSERT_TRUE(extension.get());
-  EXPECT_TRUE(provider.UserMayLoad(extension.get(), &error));
-  EXPECT_EQ(base::string16(), error);
-  error.clear();
+    // Verify that an extension whose location has been whitelisted for use in
+    // other types of device-local accounts cannot be installed in a single-app
+    // kiosk session.
+    extension = CreateExternalComponentExtension();
+    ASSERT_TRUE(extension.get());
+    EXPECT_TRUE(provider.UserMayLoad(extension.get(), &error));
+    EXPECT_EQ(base::string16(), error);
+    error.clear();
 
-  extension = CreateComponentExtension();
-  ASSERT_TRUE(extension.get());
-  EXPECT_TRUE(provider.UserMayLoad(extension.get(), &error));
-  EXPECT_EQ(base::string16(), error);
-  error.clear();
+    extension = CreateComponentExtension();
+    ASSERT_TRUE(extension.get());
+    EXPECT_TRUE(provider.UserMayLoad(extension.get(), &error));
+    EXPECT_EQ(base::string16(), error);
+    error.clear();
 
-  // Verify that an extension whose type has been whitelisted for use in other
-  // types of device-local accounts cannot be installed in a single-app kiosk
-  // session.
-  extension = CreateHostedApp();
-  ASSERT_TRUE(extension.get());
-  EXPECT_FALSE(provider.UserMayLoad(extension.get(), &error));
-  EXPECT_NE(base::string16(), error);
-  error.clear();
+    // Verify that an extension whose type has been whitelisted for use in other
+    // types of device-local accounts cannot be installed in a single-app kiosk
+    // session.
+    extension = CreateHostedApp();
+    ASSERT_TRUE(extension.get());
+    EXPECT_FALSE(provider.UserMayLoad(extension.get(), &error));
+    EXPECT_NE(base::string16(), error);
+    error.clear();
 
-  // Verify that an extension whose ID has been whitelisted for use in other
-  // types of device-local accounts cannot be installed in a single-app kiosk
-  // session.
-  extension = CreateRegularExtension(kWhitelistedId);
-  ASSERT_TRUE(extension.get());
-  EXPECT_TRUE(provider.UserMayLoad(extension.get(), &error));
-  EXPECT_EQ(base::string16(), error);
-  error.clear();
+    // Verify that an extension whose ID has been whitelisted for use in other
+    // types of device-local accounts cannot be installed in a single-app kiosk
+    // session.
+    extension = CreateRegularExtension(kWhitelistedId);
+    ASSERT_TRUE(extension.get());
+    EXPECT_TRUE(provider.UserMayLoad(extension.get(), &error));
+    EXPECT_EQ(base::string16(), error);
+    error.clear();
+  }
 }
 
 TEST(DeviceLocalAccountManagementPolicyProviderTest, IsWhitelisted) {