Removing chrome_os from 'supported_on' for non-ChromeOS CRD policies

We recently received a bug from the admin console folks who wanted to know how to enable a few policies listed in this file in ChromeOS. The problem is that they weren't applicable as they are only available for remote access hosts and we don't have a remote access implementation on ChromeOS. It looks like these were introduced in this CL: https://codereview.chromium.org/820133002 I think this was just a copy/paste mistake but it affected a number of the policies that we advertise as being supported. I've combed through our policies in the file and have removed / updated all of the entries that should not state they apply to ChromeOS. BYPASS_POLICY_COMPATIBILITY_CHECK=These policies were never supported on CrOS but were incorrectly marked that they were. Change-Id: I0b49496ee1129dfb309039afbb6ef124bbae2fe0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2411409Reviewed-by: Jamie Walch <jamiewalch@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Commit-Queue: Joe Downing <joedow@google.com> Cr-Commit-Position: refs/heads/master@{#809828}

Removing chrome_os from 'supported_on' for non-ChromeOS CRD policies
We recently received a bug from the admin console folks who wanted to know how to enable a few policies listed in this file in ChromeOS. The problem is that they weren't applicable as they are only available for remote access hosts and we don't have a remote access implementation on ChromeOS. It looks like these were introduced in this CL: https://codereview.chromium.org/820133002 I think this was just a copy/paste mistake but it affected a number of the policies that we advertise as being supported. I've combed through our policies in the file and have removed / updated all of the entries that should not state they apply to ChromeOS. BYPASS_POLICY_COMPATIBILITY_CHECK=These policies were never supported on CrOS but were incorrectly marked that they were. Change-Id: I0b49496ee1129dfb309039afbb6ef124bbae2fe0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2411409Reviewed-by: Jamie Walch <jamiewalch@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Commit-Queue: Joe Downing <joedow@google.com> Cr-Commit-Position: refs/heads/master@{#809828}
ab8c0abc · Joe Downing · Commit Bot · 8988c9a7 · ab8c0abc · ab8c0abc
Commit ab8c0abc authored Sep 23, 2020 by Joe Downing Committed by Commit Bot Sep 23, 2020
Showing with 27 additions and 13 deletions

components/policy/resources/policy_templates.json components/policy/resources/policy_templates.json +10 -10

remoting/host/policy_watcher_unittest.cc remoting/host/policy_watcher_unittest.cc +17 -3

No files found.
--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -1950,7 +1950,7 @@
      'owners': ['jamiewalch@chromium.org', 'rkjnsn@chromium.org'],
      'type': 'main',
      'schema': { 'type': 'boolean' },
-      'supported_on': ['chrome.*:23-', 'chrome_os:41-'],
+      'supported_on': ['chrome.*:23-'],
      'features': {
        'dynamic_refresh': True,
        'per_profile': False,
@@ -1970,7 +1970,7 @@
      'owners': ['jamiewalch@chromium.org', 'rkjnsn@chromium.org'],
      'type': 'main',
      'schema': { 'type': 'boolean' },
-      'supported_on': ['chrome.*:30-', 'chrome_os:41-'],
+      'supported_on': ['chrome.*:30-'],
      'features': {
        'dynamic_refresh': True,
        'per_profile': False,
@@ -1988,7 +1988,7 @@
      'owners': ['jamiewalch@chromium.org', 'rkjnsn@chromium.org'],
      'type': 'main',
      'schema': { 'type': 'boolean' },
-      'supported_on': ['chrome.*:35-', 'chrome_os:41-'],
+      'supported_on': ['chrome.*:35-'],
      'features': {
        'dynamic_refresh': True,
        'per_profile': False,
@@ -2046,7 +2046,7 @@
      'owners': ['jamiewalch@chromium.org', 'rkjnsn@chromium.org'],
      'type': 'main',
      'schema': { 'type': 'boolean' },
-      'supported_on': ['chrome.linux:25-', 'chrome.mac:25-', 'chrome_os:42-'],
+      'supported_on': ['chrome.linux:25-', 'chrome.mac:25-'],
      'features': {
        'dynamic_refresh': True,
        'per_profile': False,
@@ -2064,7 +2064,7 @@
      'owners': ['jamiewalch@chromium.org', 'rkjnsn@chromium.org'],
      'type': 'string',
      'schema': { 'type': 'string' },
-      'supported_on': ['chrome.*:28-','chrome_os:42-'],
+      'supported_on': ['chrome.*:28-'],
      'features': {
        'dynamic_refresh': True,
        'per_profile': False,
@@ -2075,14 +2075,14 @@
      'tags': ['website-sharing'],
      'desc': '''If this policy is set, the remote access host will require authenticating clients to obtain an authentication token from this URL in order to connect. Must be used in conjunction with RemoteAccessHostTokenValidationUrl.
-          This feature is currently disabled server-side.''',
+          This feature is disabled if empty or not set.''',
    },
    {
      'name': 'RemoteAccessHostTokenValidationUrl',
      'owners': ['jamiewalch@chromium.org', 'rkjnsn@chromium.org'],
      'type': 'string',
      'schema': { 'type': 'string' },
-      'supported_on': ['chrome.*:28-','chrome_os:42-'],
+      'supported_on': ['chrome.*:28-'],
      'features': {
        'dynamic_refresh': True,
        'per_profile': False,
@@ -2093,14 +2093,14 @@
      'tags': ['website-sharing'],
      'desc': '''If this policy is set, the remote access host will use this URL to validate authentication tokens from remote access clients, in order to accept connections. Must be used in conjunction with RemoteAccessHostTokenUrl.
-          This feature is currently disabled server-side.''',
+          This feature is disabled if empty or not set.''',
    },
    {
      'name': 'RemoteAccessHostTokenValidationCertificateIssuer',
      'owners': ['jamiewalch@chromium.org', 'rkjnsn@chromium.org'],
      'type': 'string',
      'schema': { 'type': 'string' },
-      'supported_on': ['chrome.*:28-','chrome_os:42-'],
+      'supported_on': ['chrome.*:28-'],
      'features': {
        'dynamic_refresh': True,
        'per_profile': False,
@@ -2111,7 +2111,7 @@
      'tags': [],
      'desc': '''If this policy is set, the host will use a client certificate with the given issuer CN to authenticate to RemoteAccessHostTokenValidationUrl. Set it to "*" to use any available client certificate.
-          This feature is currently disabled server-side.''',
+          This feature is disabled if empty or not set.''',
    },
    {
      'name': 'RemoteAccessHostDebugOverridePolicies',
--- a/remoting/host/policy_watcher_unittest.cc
+++ b/remoting/host/policy_watcher_unittest.cc
@@ -530,6 +530,7 @@ INSTANTIATE_TEST_SUITE_P(
                      "RemoteAccessHostdomain",
                      "RemoteAccessHostPolicyForFutureVersion"));
+#if !defined(OS_CHROMEOS)
 TEST_F(PolicyWatcherTest, PairingFalseThenTrue) {
  testing::InSequence sequence;
  EXPECT_CALL(mock_policy_callback_,
@@ -559,6 +560,7 @@ TEST_F(PolicyWatcherTest, GnubbyAuth) {
  SetPolicies(gnubby_auth_false_);
  SetPolicies(gnubby_auth_true_);
 }
+#endif  // !defined(OS_CHROMEOS)
 TEST_F(PolicyWatcherTest, RemoteAssistanceUiAccess) {
  testing::InSequence sequence;
@@ -595,6 +597,7 @@ TEST_F(PolicyWatcherTest, Relay) {
  SetPolicies(relay_true_);
 }
+#if !defined(OS_CHROMEOS)
 TEST_F(PolicyWatcherTest, Curtain) {
  testing::InSequence sequence;
  EXPECT_CALL(mock_policy_callback_,
@@ -661,6 +664,7 @@ TEST_F(PolicyWatcherTest, ThirdPartyAuthPartialToFull) {
  SetPolicies(third_party_auth_partial_);
  SetPolicies(third_party_auth_full_);
 }
+#endif  // !defined(OS_CHROMEOS)
 TEST_F(PolicyWatcherTest, UdpPortRange) {
  testing::InSequence sequence;
@@ -693,6 +697,16 @@ TEST_F(PolicyWatcherTest, PolicySchemaAndPolicyWatcherShouldBeInSync) {
  // RemoteAccessHostMatchUsername is marked in policy_templates.json as not
  // supported on Windows and therefore is (by design) excluded from the schema.
  expected_schema.erase(key::kRemoteAccessHostMatchUsername);
+#elif defined(OS_CHROMEOS)
+  // Me2Me Policies are not supported on ChromeOS.
+  expected_schema.erase(key::kRemoteAccessHostAllowGnubbyAuth);
+  expected_schema.erase(key::kRemoteAccessHostAllowClientPairing);
+  expected_schema.erase(key::kRemoteAccessHostMatchUsername);
+  expected_schema.erase(key::kRemoteAccessHostRequireCurtain);
+  expected_schema.erase(key::kRemoteAccessHostTokenUrl);
+  expected_schema.erase(key::kRemoteAccessHostTokenValidationUrl);
+  expected_schema.erase(key::kRemoteAccessHostTokenValidationCertificateIssuer);
+  expected_schema.erase(key::kRemoteAccessHostAllowUiAccessForRemoteAssistance);
 #else  // !defined(OS_WIN)
  // RemoteAssistanceHostAllowUiAccess does not exist on non-Windows platforms.
  expected_schema.erase(key::kRemoteAccessHostAllowUiAccessForRemoteAssistance);
@@ -726,14 +740,14 @@ TEST_F(PolicyWatcherTest, SchemaTypeCheck) {
  // Check one, random "string" policy to see if the type propagated correctly
  // from policy_templates.json file.
  const policy::Schema string_schema =
-      schema->GetKnownProperty("RemoteAccessHostDomain");
+      schema->GetKnownProperty("RemoteAccessHostUdpPortRange");
  EXPECT_TRUE(string_schema.valid());
  EXPECT_EQ(string_schema.type(), base::Value::Type::STRING);
  // And check one, random "boolean" policy to see if the type propagated
  // correctly from policy_templates.json file.
  const policy::Schema boolean_schema =
-      schema->GetKnownProperty("RemoteAccessHostRequireCurtain");
+      schema->GetKnownProperty("RemoteAccessHostAllowRelayedConnection");
  EXPECT_TRUE(boolean_schema.valid());
  EXPECT_EQ(boolean_schema.type(), base::Value::Type::BOOLEAN);
 }
@@ -784,4 +798,4 @@ TEST_F(PolicyWatcherTest, GetCurrentPoliciesError) {
  ASSERT_EQ(0u, current_policies->size());
 }
 }  // namespace remoting
\ No newline at end of file