Only hide future policies on Stable and Beta channel.

All policies on the platform with future_on flag will be ignored by
default unless they are whitelisted by EnableExperimentalPolicies.

However, this restriction doesn't have to apply to the Dev, Canary and
Chromium build because they are used for development and testing anyway.

Also whitelist in browser test in case they need to be ran with branded
browser.

Bug: 1067190
Change-Id: I139208115657f698e9c94921827db686f3ac346c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2225289Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org>
Reviewed-by: Rohit Rao <rohitrao@chromium.org>
Reviewed-by: Changwan Ryu <changwan@chromium.org>
Commit-Queue: Owen Min <zmin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#776193}

android_webview/browser/aw_browser_policy_connector.cc

@@ -13,6 +13,8 @@
 #include "components/policy/core/browser/url_blacklist_policy_handler.h"
 #include "components/policy/core/common/policy_pref_names.h"
 #include "components/policy/policy_constants.h"
+#include "components/version_info/android/channel_getter.h"
+#include "components/version_info/channel.h"
 #include "net/url_request/url_request_context_getter.h"
 
 namespace android_webview {
@@ -32,10 +34,13 @@ const policy::PolicyDetails* GetChromePolicyDetails(const std::string& policy) {
 // to the associated preferences.
 std::unique_ptr<policy::ConfigurationPolicyHandlerList> BuildHandlerList(
     const policy::Schema& chrome_schema) {
+  version_info::Channel channel = version_info::android::GetChannel();
   std::unique_ptr<policy::ConfigurationPolicyHandlerList> handlers(
       new policy::ConfigurationPolicyHandlerList(
           base::BindRepeating(&PopulatePolicyHandlerParameters),
-          base::BindRepeating(&GetChromePolicyDetails)));
+          base::BindRepeating(&GetChromePolicyDetails),
+          channel != version_info::Channel::STABLE &&
+              channel != version_info::Channel::BETA));
 
   // URL Filtering
   handlers->AddHandler(std::make_unique<policy::SimplePolicyHandler>(

chrome/browser/policy/configuration_policy_handler_list_factory.cc

@@ -11,6 +11,7 @@
 #include <vector>
 
 #include "base/bind.h"
+#include "base/command_line.h"
 #include "base/memory/ptr_util.h"
 #include "base/stl_util.h"
 #include "base/values.h"
@@ -37,6 +38,7 @@
 #include "chrome/browser/spellchecker/spellcheck_language_policy_handler.h"
 #include "chrome/browser/ssl/secure_origin_policy_handler.h"
 #include "chrome/common/buildflags.h"
+#include "chrome/common/channel_info.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/pref_names.h"
 #include "chromeos/services/assistant/public/cpp/assistant_prefs.h"
@@ -83,6 +85,8 @@
 #include "components/unified_consent/pref_names.h"
 #include "components/variations/pref_names.h"
 #include "components/variations/service/variations_service.h"
+#include "components/version_info/channel.h"
+#include "content/public/common/content_switches.h"
 #include "extensions/buildflags/buildflags.h"
 #include "media/media_buildflags.h"
 #include "ppapi/buildflags/buildflags.h"
@@ -1311,6 +1315,16 @@ void GetDeprecatedFeaturesMap(
   // re-enable them.
 }
 
+// Future policies are not supported on Stable and Beta by default.
+bool AreFuturePoliciesSupported() {
+  // Enable future policies for branded browser tests.
+  if (base::CommandLine::ForCurrentProcess()->HasSwitch(switches::kTestType))
+    return true;
+  version_info::Channel channel = chrome::GetChannel();
+  return channel != version_info::Channel::STABLE &&
+         channel != version_info::Channel::BETA;
+}
+
 }  // namespace
 
 void PopulatePolicyHandlerParameters(PolicyHandlerParameters* parameters) {
@@ -1329,7 +1343,7 @@ std::unique_ptr<ConfigurationPolicyHandlerList> BuildHandlerList(
   std::unique_ptr<ConfigurationPolicyHandlerList> handlers(
       new ConfigurationPolicyHandlerList(
           base::Bind(&PopulatePolicyHandlerParameters),
-          base::Bind(&GetChromePolicyDetails)));
+          base::Bind(&GetChromePolicyDetails), AreFuturePoliciesSupported()));
   for (size_t i = 0; i < base::size(kSimplePolicyMap); ++i) {
     handlers->AddHandler(std::make_unique<SimplePolicyHandler>(
         kSimplePolicyMap[i].policy_name, kSimplePolicyMap[i].preference_path,

components/policy/core/browser/configuration_policy_handler_list.cc

@@ -24,9 +24,11 @@ const char kPolicyCommentPrefix[] = "_comment";
 
 ConfigurationPolicyHandlerList::ConfigurationPolicyHandlerList(
     const PopulatePolicyHandlerParametersCallback& parameters_callback,
-    const GetChromePolicyDetailsCallback& details_callback)
+    const GetChromePolicyDetailsCallback& details_callback,
+    bool allow_future_policies)
     : parameters_callback_(parameters_callback),
-      details_callback_(details_callback) {}
+      details_callback_(details_callback),
+      allow_future_policies_(allow_future_policies) {}
 
 ConfigurationPolicyHandlerList::~ConfigurationPolicyHandlerList() {
 }
@@ -47,11 +49,11 @@ void ConfigurationPolicyHandlerList::ApplyPolicySettings(
   // TODO(aberent): split into two functions.
   // TODO(crbug.com/1076560): Returns filtered out future policies for better
   // user interface.
-  // TODO(crbug.com/1076560): Provides a way to all whitelist experimental
-  // policies in Canary/Dev and test.
   std::unique_ptr<PolicyMap> filtered_policies = policies.DeepCopy();
   base::flat_set<std::string> enabled_future_policies =
-      ValueToStringSet(policies.GetValue(key::kEnableExperimentalPolicies));
+      allow_future_policies_ ? base::flat_set<std::string>()
+                             : ValueToStringSet(policies.GetValue(
+                                   key::kEnableExperimentalPolicies));
   filtered_policies->EraseMatching(base::BindRepeating(
       &ConfigurationPolicyHandlerList::FilterOutUnsupportedPolicies,
       base::Unretained(this), enabled_future_policies));
@@ -123,7 +125,7 @@ bool ConfigurationPolicyHandlerList::IsFuturePolicy(
     const base::flat_set<std::string>& enabled_future_policies,
     const PolicyDetails& policy_details,
     const PolicyMap::const_iterator iter) const {
-  return policy_details.is_future &&
+  return !allow_future_policies_ && policy_details.is_future &&
          !enabled_future_policies.contains(iter->first);
 }
 

components/policy/core/browser/configuration_policy_handler_list.h

@@ -37,7 +37,8 @@ class POLICY_EXPORT ConfigurationPolicyHandlerList {
 
   explicit ConfigurationPolicyHandlerList(
       const PopulatePolicyHandlerParametersCallback& parameters_callback,
-      const GetChromePolicyDetailsCallback& details_callback);
+      const GetChromePolicyDetailsCallback& details_callback,
+      bool allow_future_policies);
   ~ConfigurationPolicyHandlerList();
 
   // Adds a policy handler to the list.
@@ -73,6 +74,8 @@ class POLICY_EXPORT ConfigurationPolicyHandlerList {
   const PopulatePolicyHandlerParametersCallback parameters_callback_;
   const GetChromePolicyDetailsCallback details_callback_;
 
+  bool allow_future_policies_ = false;
+
   DISALLOW_COPY_AND_ASSIGN(ConfigurationPolicyHandlerList);
 };
 

components/policy/core/browser/configuration_policy_handler_list_unittest.cc

@@ -52,6 +52,8 @@ class StubPolicyHandler : public ConfigurationPolicyHandler {
 
 class ConfigurationPolicyHandlerListTest : public ::testing::Test {
  public:
+  void SetUp() override { CreateHandlerList(); }
+
   void AddSimplePolicy() {
     AddPolicy(kPolicyName, /* is_cloud */ true,
               std::make_unique<base::Value>(kPolicyValue));
@@ -66,14 +68,24 @@ class ConfigurationPolicyHandlerListTest : public ::testing::Test {
                            : PolicySource::POLICY_SOURCE_PLATFORM,
                   std::move(value), nullptr);
     if (policy_name != key::kEnableExperimentalPolicies) {
-      handler_list_.AddHandler(
+      handler_list_->AddHandler(
           std::make_unique<StubPolicyHandler>(policy_name));
     }
   }
 
   void ApplySettings() {
-    handler_list_.ApplyPolicySettings(policies_, &prefs_, &errors_,
-                                      &deprecated_policies_);
+    handler_list_->ApplyPolicySettings(policies_, &prefs_, &errors_,
+                                       &deprecated_policies_);
+  }
+
+  void CreateHandlerList(bool allow_all_future_policies = false) {
+    handler_list_ = std::make_unique<ConfigurationPolicyHandlerList>(
+        ConfigurationPolicyHandlerList::
+            PopulatePolicyHandlerParametersCallback(),
+        base::BindRepeating(
+            &ConfigurationPolicyHandlerListTest::GetPolicyDetails,
+            base::Unretained(this)),
+        allow_all_future_policies);
   }
 
   PrefValueMap* prefs() { return &prefs_; }
@@ -108,10 +120,7 @@ class ConfigurationPolicyHandlerListTest : public ::testing::Test {
   DeprecatedPoliciesSet deprecated_policies_;
   PolicyDetails details_{false, false, false, 0, 0, {}};
 
-  ConfigurationPolicyHandlerList handler_list_{
-      ConfigurationPolicyHandlerList::PopulatePolicyHandlerParametersCallback(),
-      base::BindRepeating(&ConfigurationPolicyHandlerListTest::GetPolicyDetails,
-                          base::Unretained(this))};
+  std::unique_ptr<ConfigurationPolicyHandlerList> handler_list_;
 };
 
 TEST_F(ConfigurationPolicyHandlerListTest, ApplySettingsWithNormalPolicy) {
@@ -150,6 +159,16 @@ TEST_F(ConfigurationPolicyHandlerListTest, ApplySettingsWithFuturePolicy) {
   VerifyPolicyAndPref(kPolicyName, /* in_pref */ true);
 }
 
+TEST_F(ConfigurationPolicyHandlerListTest,
+       ApplySettingsWithoutFutureFilterPolicy) {
+  CreateHandlerList(true);
+  AddSimplePolicy();
+  details()->is_future = true;
+
+  ApplySettings();
+
+  VerifyPolicyAndPref(kPolicyName, /* in_pref */ true);
+}
 // Device platform policy will be fitered out.
 TEST_F(ConfigurationPolicyHandlerListTest,
        ApplySettingsWithPlatformDevicePolicy) {

components/policy/core/browser/configuration_policy_pref_store_test.cc

@@ -25,7 +25,8 @@ ConfigurationPolicyPrefStoreTest::ConfigurationPolicyPrefStoreTest()
     : handler_list_(base::BindRepeating(&ConfigurationPolicyPrefStoreTest::
                                             PopulatePolicyHandlerParameters,
                                         base::Unretained(this)),
-                    GetChromePolicyDetailsCallback()) {
+                    GetChromePolicyDetailsCallback(),
+                    /* allow_all_future_policies*/ true) {
   EXPECT_CALL(provider_, IsInitializationComplete(_))
       .WillRepeatedly(Return(false));
   provider_.Init();

ios/chrome/browser/application_context_impl.cc

@@ -40,6 +40,7 @@
 #include "components/update_client/configurator.h"
 #include "components/update_client/update_query_params.h"
 #include "components/variations/service/variations_service.h"
+#include "components/version_info/channel.h"
 #include "ios/chrome/app/tests_hook.h"
 #include "ios/chrome/browser/application_context.h"
 #include "ios/chrome/browser/browser_state/chrome_browser_state.h"
@@ -422,8 +423,11 @@ BrowserPolicyConnectorIOS* ApplicationContextImpl::GetBrowserPolicyConnector() {
       // BrowserPolicyConnector::OnResourceBundleCreated() will need to be added
       // later in the startup sequence, after the ResourceBundle is initialized.
       DCHECK(ui::ResourceBundle::HasSharedInstance());
+      version_info::Channel channel = ::GetChannel();
       browser_policy_connector_ = std::make_unique<BrowserPolicyConnectorIOS>(
-          base::Bind(&BuildPolicyHandlerList));
+          base::Bind(&BuildPolicyHandlerList,
+                     channel != version_info::Channel::STABLE &&
+                         channel != version_info::Channel::BETA));
 
       // Install a mock platform policy provider, if running under EG2 and one
       // is supplied.

ios/chrome/browser/policy/configuration_policy_handler_list_factory.h

@@ -13,7 +13,10 @@ class Schema;
 }  // namespace policy
 
 // Builds a policy handler list.
+// All un-released policies will be ignored by default unless
+// |allow_future_policies| is True.
 std::unique_ptr<policy::ConfigurationPolicyHandlerList> BuildPolicyHandlerList(
+    bool allow_future_policies,
     const policy::Schema& chrome_schema);
 
 #endif  // IOS_CHROME_BROWSER_POLICY_CONFIGURATION_POLICY_HANDLER_LIST_FACTORY_H_

ios/chrome/browser/policy/configuration_policy_handler_list_factory.mm

@@ -77,12 +77,13 @@ void PopulatePolicyHandlerParameters(
 }  // namespace
 
 std::unique_ptr<policy::ConfigurationPolicyHandlerList> BuildPolicyHandlerList(
+    bool allow_future_policies,
     const policy::Schema& chrome_schema) {
   DCHECK(IsEnterprisePolicyEnabled());
   std::unique_ptr<policy::ConfigurationPolicyHandlerList> handlers =
       std::make_unique<policy::ConfigurationPolicyHandlerList>(
           base::Bind(&PopulatePolicyHandlerParameters),
-          base::Bind(&policy::GetChromePolicyDetails));
+          base::Bind(&policy::GetChromePolicyDetails), allow_future_policies);
 
   // Check the feature flag before adding handlers to the list.
   if (!ShouldInstallEnterprisePolicyHandlers()) {

ios/chrome/browser/policy/enterprise_policy_test_helper.cc

@@ -21,7 +21,7 @@ EnterprisePolicyTestHelper::EnterprisePolicyTestHelper(
   // Create a BrowserPolicyConnectorIOS, install the mock policy
   // provider, and hook up Local State.
   browser_policy_connector_ = std::make_unique<BrowserPolicyConnectorIOS>(
-      base::Bind(&BuildPolicyHandlerList));
+      base::Bind(&BuildPolicyHandlerList, /* allow_future_policies= */ true));
   browser_policy_connector_->SetPolicyProviderForTesting(&policy_provider_);
 
   scoped_refptr<PrefRegistrySimple> local_state_registry(