Implement policy: Force log out unauthenticated users

Force log out unauthenticated enterprise users if |ForceLogoutUnauthenticatedUserEnabled| policy is set to true. |ChromeOSLimitedAccessAccountReconcilorDelegate| is being refactored to support two different types of accounts: child and enterprise with |ForceLogoutUnauthenticatedUserEnabled|. The ReconcilorDelegate logic connected with child accounts remains unchanged. Bug: b/146461662 Change-Id: Ic340ea3d59537f8c1092362ae0c8e32756bbb26f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2058820 Commit-Queue: Andrei Salavei <solovey@google.com> Reviewed-by: David Roger <droger@chromium.org> Reviewed-by: Kush Sinha <sinhak@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Cr-Commit-Position: refs/heads/master@{#746361}

Implement policy: Force log out unauthenticated users
Force log out unauthenticated enterprise users if |ForceLogoutUnauthenticatedUserEnabled| policy is set to true. |ChromeOSLimitedAccessAccountReconcilorDelegate| is being refactored to support two different types of accounts: child and enterprise with |ForceLogoutUnauthenticatedUserEnabled|. The ReconcilorDelegate logic connected with child accounts remains unchanged. Bug: b/146461662 Change-Id: Ic340ea3d59537f8c1092362ae0c8e32756bbb26f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2058820 Commit-Queue: Andrei Salavei <solovey@google.com> Reviewed-by: David Roger <droger@chromium.org> Reviewed-by: Kush Sinha <sinhak@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Cr-Commit-Position: refs/heads/master@{#746361}
a5f11ff5 · Andrew Solovey · Commit Bot · 600c9586 · a5f11ff5
Commit a5f11ff5 authored Mar 03, 2020 by Andrew Solovey Committed by Commit Bot Mar 03, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 41 additions and 8 deletions

chrome/browser/signin/account_reconcilor_factory.cc chrome/browser/signin/account_reconcilor_factory.cc +41 -8

No files found.
--- a/chrome/browser/signin/account_reconcilor_factory.cc
+++ b/chrome/browser/signin/account_reconcilor_factory.cc
@@ -44,15 +44,36 @@
 namespace {

 #if defined(OS_CHROMEOS)
-class ChromeOSChildAccountReconcilorDelegate
+class ChromeOSLimitedAccessAccountReconcilorDelegate
    : public signin::MirrorAccountReconcilorDelegate {
 public:
-  explicit ChromeOSChildAccountReconcilorDelegate(
+  enum class ReconcilorBehavior {
+    kChild,
+    kEnterprise,
+  };
+
+  ChromeOSLimitedAccessAccountReconcilorDelegate(
+      ReconcilorBehavior reconcilor_behavior,
      signin::IdentityManager* identity_manager)
-      : signin::MirrorAccountReconcilorDelegate(identity_manager) {}
+      : signin::MirrorAccountReconcilorDelegate(identity_manager),
+        reconcilor_behavior_(reconcilor_behavior) {}
+
+  ChromeOSLimitedAccessAccountReconcilorDelegate(
+      const ChromeOSLimitedAccessAccountReconcilorDelegate&) = delete;
+  ChromeOSLimitedAccessAccountReconcilorDelegate& operator=(
+      const ChromeOSLimitedAccessAccountReconcilorDelegate&) = delete;

  base::TimeDelta GetReconcileTimeout() const override {
-    return base::TimeDelta::FromSeconds(10);
+    switch (reconcilor_behavior_) {
+      case ReconcilorBehavior::kChild:
+        return base::TimeDelta::FromSeconds(10);
+      case ReconcilorBehavior::kEnterprise:
+        // 60 seconds is enough to cover about 99% of all reconcile cases.
+        return base::TimeDelta::FromSeconds(60);
+      default:
+        NOTREACHED();
+        return MirrorAccountReconcilorDelegate::GetReconcileTimeout();
+    }
  }

  void OnReconcileError(const GoogleServiceAuthError& error) override {
@@ -74,14 +95,16 @@ class ChromeOSChildAccountReconcilorDelegate
    user_manager::UserManager::Get()->SaveForceOnlineSignin(
        primary_user->GetAccountId(), true /* force_online_signin */);

+    if (reconcilor_behavior_ == ReconcilorBehavior::kChild) {
+      UMA_HISTOGRAM_BOOLEAN(
+          "ChildAccountReconcilor.ForcedUserExitOnReconcileError", true);
+    }
    // Force a logout.
-    UMA_HISTOGRAM_BOOLEAN(
-        "ChildAccountReconcilor.ForcedUserExitOnReconcileError", true);
    chrome::AttemptUserExit();
  }

 private:
-  DISALLOW_COPY_AND_ASSIGN(ChromeOSChildAccountReconcilorDelegate);
+  const ReconcilorBehavior reconcilor_behavior_;
 };

 // An |AccountReconcilorDelegate| for Chrome OS that is exactly the same as
@@ -176,7 +199,9 @@ AccountReconcilorFactory::CreateAccountReconcilorDelegate(Profile* profile) {
      // Only for child accounts on Chrome OS, use the specialized Mirror
      // delegate.
      if (profile->IsChild()) {
-        return std::make_unique<ChromeOSChildAccountReconcilorDelegate>(
+        return std::make_unique<ChromeOSLimitedAccessAccountReconcilorDelegate>(
+            ChromeOSLimitedAccessAccountReconcilorDelegate::ReconcilorBehavior::
+                kChild,
            IdentityManagerFactory::GetForProfile(profile));
      }

@@ -190,6 +215,14 @@ AccountReconcilorFactory::CreateAccountReconcilorDelegate(Profile* profile) {
            signin::ActiveDirectoryAccountReconcilorDelegate>();
      }

+      if (profile->GetPrefs()->GetBoolean(
+              prefs::kForceLogoutUnauthenticatedUserEnabled)) {
+        return std::make_unique<ChromeOSLimitedAccessAccountReconcilorDelegate>(
+            ChromeOSLimitedAccessAccountReconcilorDelegate::ReconcilorBehavior::
+                kEnterprise,
+            IdentityManagerFactory::GetForProfile(profile));
+      }
+
      // TODO(sinhak): Use |MirrorAccountReconcilorDelegate|) when all Chrome OS
      // users have been migrated to Account Manager.
      return std::make_unique<ChromeOSAccountReconcilorDelegate>(