DLP: Add printing restrictions.

Add Data Leak Prevention features that restricts printing of DLP sensitive content.

Bug: 1124651
Test: Browsertest added.
Change-Id: I0d653f3ea2518882f3cce8a96195247152fe45fb
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2390651Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Nikita Podguzov <nikitapodguzov@chromium.org>
Commit-Queue: Sergey Poromov <poromov@chromium.org>
Cr-Commit-Position: refs/heads/master@{#810118}

chrome/browser/chromeos/policy/dlp/dlp_content_manager.cc

@@ -11,6 +11,7 @@
 #include "chrome/browser/ui/ash/chrome_screenshot_grabber.h"
 #include "content/public/browser/visibility.h"
 #include "content/public/browser/web_contents.h"
+#include "extensions/browser/guest_view/mime_handler_view/mime_handler_view_guest.h"
 #include "ui/aura/window.h"
 #include "ui/gfx/geometry/rect.h"
 #include "ui/gfx/skia_util.h"
@@ -98,6 +99,19 @@ bool DlpContentManager::IsScreenshotRestricted(
   return false;
 }
 
+bool DlpContentManager::IsPrintingRestricted(
+    content::WebContents* web_contents) const {
+  // If we're viewing the PDF in a MimeHandlerViewGuest, use its embedder
+  // WebContents.
+  auto* guest_view =
+      extensions::MimeHandlerViewGuest::FromWebContents(web_contents);
+  web_contents =
+      guest_view ? guest_view->embedder_web_contents() : web_contents;
+
+  return GetConfidentialRestrictions(web_contents)
+      .HasRestriction(DlpContentRestriction::kPrint);
+}
+
 /* static */
 void DlpContentManager::SetDlpContentManagerForTesting(
     DlpContentManager* dlp_content_manager) {

chrome/browser/chromeos/policy/dlp/dlp_content_manager.h

@@ -41,6 +41,9 @@ class DlpContentManager {
   // Returns whether screenshots should be restricted.
   virtual bool IsScreenshotRestricted(const ScreenshotArea& area) const;
 
+  // Returns whether printing should be restricted.
+  bool IsPrintingRestricted(content::WebContents* web_contents) const;
+
   // The caller (test) should manage |dlp_content_manager| lifetime.
   // Reset doesn't delete the object.
   static void SetDlpContentManagerForTesting(

chrome/browser/chromeos/policy/dlp/dlp_content_manager_unittest.cc

@@ -22,6 +22,8 @@ const DlpContentRestrictionSet kScreenshotRestricted(
 const DlpContentRestrictionSet kNonEmptyRestrictionSet = kScreenshotRestricted;
 const DlpContentRestrictionSet kPrivacyScreenEnforced(
     DlpContentRestriction::kPrivacyScreen);
+const DlpContentRestrictionSet kPrintingRestricted(
+    DlpContentRestriction::kPrint);
 
 class MockPrivacyScreenHelper : public ash::PrivacyScreenDlpHelper {
  public:
@@ -212,4 +214,20 @@ TEST_F(DlpContentManagerTest, PrivacyScreenEnforcement) {
   task_environment_.FastForwardBy(GetPrivacyScreenOffDelay());
 }
 
+TEST_F(DlpContentManagerTest, PrintingRestricted) {
+  std::unique_ptr<content::WebContents> web_contents = CreateWebContents();
+  EXPECT_EQ(manager_.GetConfidentialRestrictions(web_contents.get()),
+            kEmptyRestrictionSet);
+  EXPECT_FALSE(manager_.IsPrintingRestricted(web_contents.get()));
+
+  ChangeConfidentiality(web_contents.get(), kPrintingRestricted);
+  EXPECT_EQ(manager_.GetConfidentialRestrictions(web_contents.get()),
+            kPrintingRestricted);
+  EXPECT_TRUE(manager_.IsPrintingRestricted(web_contents.get()));
+
+  DestroyWebContents(web_contents.get());
+  EXPECT_EQ(manager_.GetConfidentialRestrictions(web_contents.get()),
+            kEmptyRestrictionSet);
+  EXPECT_FALSE(manager_.IsPrintingRestricted(web_contents.get()));
+}
 }  // namespace policy

chrome/browser/chromeos/policy/dlp/dlp_content_restriction_set.h

@@ -17,6 +17,8 @@ enum DlpContentRestriction {
   kScreenshot = 1 << 0,
   // Enforce ePrivacy screen when content is visible.
   kPrivacyScreen = 1 << 1,
+  // Do not allow printing.
+  kPrint = 1 << 2,
 };
 
 // Represents set of restrictions applied to on-screen content.

chrome/browser/printing/print_preview_message_handler.cc

@@ -102,9 +102,14 @@ PrintPreviewUI* PrintPreviewMessageHandler::GetPrintPreviewUI(
 void PrintPreviewMessageHandler::OnRequestPrintPreview(
     content::RenderFrameHost* render_frame_host,
     const PrintHostMsg_RequestPrintPreview_Params& params) {
+  PrintViewManager* print_view_manager =
+      PrintViewManager::FromWebContents(web_contents());
+  if (print_view_manager->RejectPrintPreviewRequestIfRestricted(
+          render_frame_host)) {
+    return;
+  }
   if (params.webnode_only) {
-    PrintViewManager::FromWebContents(web_contents())->PrintPreviewForWebNode(
-        render_frame_host);
+    print_view_manager->PrintPreviewForWebNode(render_frame_host);
   }
   PrintPreviewDialogController::PrintPreview(web_contents());
   PrintPreviewUI::SetInitialParams(GetPrintPreviewDialog(), params);

chrome/browser/printing/print_view_manager.cc

@@ -28,6 +28,10 @@
 #include "mojo/public/cpp/bindings/associated_remote.h"
 #include "printing/buildflags/buildflags.h"
 
+#if defined(OS_CHROMEOS)
+#include "chrome/browser/chromeos/policy/dlp/dlp_content_manager.h"
+#endif
+
 using content::BrowserThread;
 
 namespace {
@@ -177,6 +181,14 @@ void PrintViewManager::PrintPreviewDone() {
   print_preview_rfh_ = nullptr;
 }
 
+bool PrintViewManager::RejectPrintPreviewRequestIfRestricted(
+    content::RenderFrameHost* rfh) {
+  if (!IsPrintingRestricted())
+    return false;
+  GetPrintRenderFrame(rfh)->OnPrintPreviewDialogClosed();
+  return true;
+}
+
 void PrintViewManager::RenderFrameCreated(
     content::RenderFrameHost* render_frame_host) {
   if (PrintPreviewDialogController::IsPrintPreviewURL(
@@ -207,6 +219,9 @@ bool PrintViewManager::PrintPreview(
   if (IsCrashed())
     return false;
 
+  if (IsPrintingRestricted())
+    return false;
+
   GetPrintRenderFrame(rfh)->InitiatePrintPreview(std::move(print_renderer),
                                                  has_selection);
 
@@ -255,6 +270,9 @@ void PrintViewManager::OnSetupScriptedPrintPreview(
     return;
   }
 
+  if (RejectPrintPreviewRequestIfRestricted(rfh))
+    return;
+
   DCHECK(!print_preview_rfh_);
   print_preview_rfh_ = rfh;
   print_preview_state_ = SCRIPTED_PREVIEW;
@@ -270,6 +288,9 @@ void PrintViewManager::OnSetupScriptedPrintPreview(
 
 void PrintViewManager::OnShowScriptedPrintPreview(content::RenderFrameHost* rfh,
                                                   bool source_is_modifiable) {
+  if (print_preview_state_ != SCRIPTED_PREVIEW)
+    return;
+
   DCHECK(print_preview_rfh_);
   if (rfh != print_preview_rfh_)
     return;
@@ -323,6 +344,15 @@ void PrintViewManager::MaybeUnblockScriptedPreviewRPH() {
   }
 }
 
+bool PrintViewManager::IsPrintingRestricted() const {
+#if defined(OS_CHROMEOS)
+  // Don't print DLP restricted content on Chrome OS.
+  return policy::DlpContentManager::Get()->IsPrintingRestricted(web_contents());
+#else
+  return false;
+#endif
+}
+
 WEB_CONTENTS_USER_DATA_KEY_IMPL(PrintViewManager)
 
 }  // namespace printing

chrome/browser/printing/print_view_manager.h

@@ -58,6 +58,10 @@ class PrintViewManager : public PrintViewManagerBase,
   // renderer in the case of scripted print preview if needed.
   void PrintPreviewDone();
 
+  // Checks whether printing is currently restricted and aborts print preview if
+  // needed.
+  bool RejectPrintPreviewRequestIfRestricted(content::RenderFrameHost* rfh);
+
   // mojom::PrintManagerHost:
   void DidShowPrintDialog() override;
 
@@ -102,6 +106,9 @@ class PrintViewManager : public PrintViewManagerBase,
 
   void MaybeUnblockScriptedPreviewRPH();
 
+  // Checks whether printing is restricted due to Data Leak Protection rules.
+  bool IsPrintingRestricted() const;
+
   base::OnceClosure on_print_dialog_shown_callback_;
 
   // Current state of print preview for this view.