Refactor legacy DLP/Malware policies on download path

This CL makes the FILE_DOWNLOADED Connector replace
CheckContentCompliance and SendFilesForMalwareCheck on downloads. This
is achieved by replacing CheckClientDownloadRequest::ShouldUploadBinary
by CheckClientDownloadRequest::GetAnalysisSettings and passing the
returned settings as a parameter to DeepScanningRequest when they are
found.

This CL does not introduce new tests since this refactor should not
affect the behaviour of the previous legacy policies. Once this is
submitted, further CLs will reuse download tests with the
FILE_DOWNLOADED connector (crbug/1076083).

Bug: 1067631
Change-Id: Id66c37b64280f1e482043b8223a72dfd41017147
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2191205Reviewed-by: Daniel Rubery <drubery@chromium.org>
Reviewed-by: Min Qin <qinmin@chromium.org>
Commit-Queue: Dominique Fauteux-Chapleau <domfc@chromium.org>
Cr-Commit-Position: refs/heads/master@{#771555}

chrome/browser/download/download_item_model.cc

@@ -24,6 +24,8 @@
 #include "chrome/browser/download/download_prefs.h"
 #include "chrome/browser/download/download_stats.h"
 #include "chrome/browser/download/offline_item_utils.h"
+#include "chrome/browser/enterprise/connectors/common.h"
+#include "chrome/browser/enterprise/connectors/connectors_manager.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/safe_browsing/download_protection/deep_scanning_request.h"
 #include "chrome/browser/safe_browsing/download_protection/download_feedback_service.h"
@@ -742,6 +744,8 @@ void DownloadItemModel::ExecuteCommand(DownloadCommands* download_commands,
       ChromeDownloadManagerDelegate* delegate =
           download_core_service->GetDownloadManagerDelegate();
       DCHECK(delegate);
+      enterprise_connectors::AnalysisSettings settings;
+      settings.tags = {"malware"};
       protection_service->UploadForDeepScanning(
           download_,
           base::BindRepeating(
@@ -749,7 +753,7 @@ void DownloadItemModel::ExecuteCommand(DownloadCommands* download_commands,
               delegate->GetWeakPtr(), download_->GetId()),
           safe_browsing::DeepScanningRequest::DeepScanTrigger::
               TRIGGER_APP_PROMPT,
-          {safe_browsing::DeepScanningRequest::DeepScanType::SCAN_MALWARE});
+          std::move(settings));
       break;
   }
 }

chrome/browser/enterprise/connectors/analysis_service_settings.cc

@@ -100,6 +100,12 @@ base::Optional<AnalysisSettings> AnalysisServiceSettings::GetAnalysisSettings(
   return settings;
 }
 
+bool AnalysisServiceSettings::ShouldBlockUntilVerdict() const {
+  if (!IsValid())
+    return false;
+  return block_until_verdict_ == BlockUntilVerdict::BLOCK;
+}
+
 void AnalysisServiceSettings::AddUrlPatternSettings(
     const base::Value& url_settings_value,
     bool enabled,

chrome/browser/enterprise/connectors/analysis_service_settings.h

@@ -26,6 +26,9 @@ class AnalysisServiceSettings {
   // analysis should take place.
   base::Optional<AnalysisSettings> GetAnalysisSettings(const GURL& url) const;
 
+  // Get the block_until_verdict setting if the settings are valid.
+  bool ShouldBlockUntilVerdict() const;
+
  private:
   // The setting to apply when a specific URL pattern is matched.
   struct URLPatternSettings {

chrome/browser/enterprise/connectors/connectors_manager.cc

@@ -67,7 +67,7 @@ ConnectorsManager* ConnectorsManager::GetInstance() {
   return base::Singleton<ConnectorsManager>::get();
 }
 
-bool ConnectorsManager::IsConnectorEnabled(AnalysisConnector connector) {
+bool ConnectorsManager::IsConnectorEnabled(AnalysisConnector connector) const {
   if (!base::FeatureList::IsEnabled(kEnterpriseConnectorsEnabled))
     return false;
 
@@ -78,7 +78,7 @@ bool ConnectorsManager::IsConnectorEnabled(AnalysisConnector connector) {
   return pref && g_browser_process->local_state()->HasPrefPath(pref);
 }
 
-bool ConnectorsManager::IsConnectorEnabled(ReportingConnector connector) {
+bool ConnectorsManager::IsConnectorEnabled(ReportingConnector connector) const {
   if (!base::FeatureList::IsEnabled(kEnterpriseConnectorsEnabled))
     return false;
 
@@ -157,9 +157,22 @@ void ConnectorsManager::CacheReportingConnectorPolicy(
   }
 }
 
-bool ConnectorsManager::DelayUntilVerdict(AnalysisConnector connector) const {
-  bool upload = connector != AnalysisConnector::FILE_DOWNLOADED;
-  return LegacyBlockUntilVerdict(upload) == BlockUntilVerdict::BLOCK;
+bool ConnectorsManager::DelayUntilVerdict(AnalysisConnector connector) {
+  if (IsConnectorEnabled(connector)) {
+    if (analysis_connector_settings_.count(connector) == 0)
+      CacheAnalysisConnectorPolicy(connector);
+
+    if (analysis_connector_settings_.count(connector) &&
+        !analysis_connector_settings_.at(connector).empty()) {
+      return analysis_connector_settings_.at(connector)
+          .at(0)
+          .ShouldBlockUntilVerdict();
+    }
+    return false;
+  } else {
+    bool upload = connector != AnalysisConnector::FILE_DOWNLOADED;
+    return LegacyBlockUntilVerdict(upload) == BlockUntilVerdict::BLOCK;
+  }
 }
 
 base::Optional<AnalysisSettings>

chrome/browser/enterprise/connectors/connectors_manager.h

@@ -55,19 +55,10 @@ class ConnectorsManager {
       AnalysisConnector connector);
 
   // Checks if the corresponding connector is enabled.
-  bool IsConnectorEnabled(AnalysisConnector connector);
-  bool IsConnectorEnabled(ReportingConnector connector);
+  bool IsConnectorEnabled(AnalysisConnector connector) const;
+  bool IsConnectorEnabled(ReportingConnector connector) const;
 
-  bool DelayUntilVerdict(AnalysisConnector connector) const;
-
-  // Public legacy functions.
-  // These functions are used to interact with legacy policies and should only
-  // be called while the connectors equivalent isn't available. They should be
-  // removed once legacy policies are deprecated.
-
-  // Check a url against the corresponding URL patterns policies.
-  bool MatchURLAgainstLegacyDlpPolicies(const GURL& url, bool upload) const;
-  bool MatchURLAgainstLegacyMalwarePolicies(const GURL& url, bool upload) const;
+  bool DelayUntilVerdict(AnalysisConnector connector);
 
   // Public testing functions.
   const AnalysisConnectorsSettings& GetAnalysisConnectorsSettingsForTesting()
@@ -119,6 +110,9 @@ class ConnectorsManager {
   bool LegacyBlockLargeFiles(bool upload) const;
   bool LegacyBlockUnsupportedFileTypes(bool upload) const;
 
+  // Functions that check a url against the corresponding URL patterns policies.
+  bool MatchURLAgainstLegacyDlpPolicies(const GURL& url, bool upload) const;
+  bool MatchURLAgainstLegacyMalwarePolicies(const GURL& url, bool upload) const;
   std::set<std::string> MatchURLAgainstLegacyPolicies(const GURL& url,
                                                       bool upload) const;
 

chrome/browser/safe_browsing/download_protection/check_client_download_request.cc

@@ -259,27 +259,30 @@ void CheckClientDownloadRequest::MaybeStorePingsForDownload(
       result, upload_requested, item_, request_data, response_body);
 }
 
-bool CheckClientDownloadRequest::ShouldUploadBinary(
+base::Optional<enterprise_connectors::AnalysisSettings>
+CheckClientDownloadRequest::ShouldUploadBinary(
     DownloadCheckResultReason reason) {
   // If the download was destroyed, we can't upload it.
   if (reason == REASON_DOWNLOAD_DESTROYED)
-    return false;
+    return base::nullopt;
 
-  return DeepScanningRequest::ShouldUploadItemByPolicy(item_);
+  return DeepScanningRequest::ShouldUploadBinary(item_);
 }
 
 void CheckClientDownloadRequest::UploadBinary(
-    DownloadCheckResultReason reason) {
+    DownloadCheckResultReason reason,
+    enterprise_connectors::AnalysisSettings settings) {
   if (reason == REASON_DOWNLOAD_DANGEROUS || reason == REASON_WHITELISTED_URL) {
+    settings.tags.erase("malware");
     service()->UploadForDeepScanning(
         item_,
         base::BindRepeating(&MaybeOverrideDlpScanResult, reason, callback_),
         DeepScanningRequest::DeepScanTrigger::TRIGGER_POLICY,
-        {DeepScanningRequest::DeepScanType::SCAN_DLP});
+        std::move(settings));
   } else {
     service()->UploadForDeepScanning(
         item_, callback_, DeepScanningRequest::DeepScanTrigger::TRIGGER_POLICY,
-        DeepScanningRequest::AllScans());
+        std::move(settings));
   }
 }
 

chrome/browser/safe_browsing/download_protection/check_client_download_request.h

@@ -16,6 +16,7 @@
 #include "base/memory/ref_counted.h"
 #include "base/time/time.h"
 #include "build/build_config.h"
+#include "chrome/browser/enterprise/connectors/common.h"
 #include "chrome/browser/safe_browsing/cloud_content_scanning/binary_upload_service.h"
 #include "chrome/browser/safe_browsing/download_protection/check_client_download_request_base.h"
 #include "chrome/browser/safe_browsing/download_protection/download_protection_util.h"
@@ -63,9 +64,13 @@ class CheckClientDownloadRequest : public CheckClientDownloadRequestBase,
                                   const std::string& response_body) override;
 
   // Uploads the binary for deep scanning if the reason and policies indicate
-  // it should be.
-  bool ShouldUploadBinary(DownloadCheckResultReason reason) override;
-  void UploadBinary(DownloadCheckResultReason reason) override;
+  // it should be. ShouldUploadBinary will returns the settings to apply for
+  // deep scanning if it should occur, or base::nullopt if no scan should be
+  // done.
+  base::Optional<enterprise_connectors::AnalysisSettings> ShouldUploadBinary(
+      DownloadCheckResultReason reason) override;
+  void UploadBinary(DownloadCheckResultReason reason,
+                    enterprise_connectors::AnalysisSettings settings) override;
 
   // Called when this request is completed.
   void NotifyRequestFinished(DownloadCheckResult result,

chrome/browser/safe_browsing/download_protection/check_client_download_request_base.cc

@@ -221,8 +221,9 @@ void CheckClientDownloadRequestBase::FinishRequest(
     reason = DownloadCheckResultReason::REASON_ADVANCED_PROTECTION_PROMPT;
   }
 
-  if (ShouldUploadBinary(reason)) {
-    UploadBinary(reason);
+  auto settings = ShouldUploadBinary(reason);
+  if (settings.has_value()) {
+    UploadBinary(reason, std::move(settings.value()));
   } else {
     std::move(callback_).Run(result);
   }

chrome/browser/safe_browsing/download_protection/check_client_download_request_base.h

@@ -17,6 +17,7 @@
 #include "base/files/file_path.h"
 #include "base/memory/ref_counted.h"
 #include "build/build_config.h"
+#include "chrome/browser/enterprise/connectors/common.h"
 #include "chrome/browser/safe_browsing/download_protection/download_protection_util.h"
 #include "chrome/browser/safe_browsing/download_protection/file_analyzer.h"
 #include "chrome/browser/safe_browsing/safe_browsing_navigation_observer_manager.h"
@@ -130,14 +131,17 @@ class CheckClientDownloadRequestBase {
                                           const std::string& request_data,
                                           const std::string& response_body) = 0;
 
-  // Called after receiving, or failing to receive a response from the server.
   // Returns whether or not the file should be uploaded to Safe Browsing for
-  // deep scanning.
-  virtual bool ShouldUploadBinary(DownloadCheckResultReason reason) = 0;
-
-  // If ShouldUploadBinary is true, actually performs the upload to Safe
-  // Browsing for deep scanning.
-  virtual void UploadBinary(DownloadCheckResultReason reason) = 0;
+  // deep scanning. Returns the settings to apply for analysis if the file
+  // should be uploaded for deep scanning, or base::nullopt if it should not.
+  virtual base::Optional<enterprise_connectors::AnalysisSettings>
+  ShouldUploadBinary(DownloadCheckResultReason reason) = 0;
+
+  // If ShouldUploadBinary returns settings, actually performs the upload to
+  // Safe Browsing for deep scanning.
+  virtual void UploadBinary(
+      DownloadCheckResultReason reason,
+      enterprise_connectors::AnalysisSettings settings) = 0;
 
   // Called whenever a request has completed.
   virtual void NotifyRequestFinished(DownloadCheckResult result,

chrome/browser/safe_browsing/download_protection/check_native_file_system_write_request.cc

@@ -151,13 +151,15 @@ void CheckNativeFileSystemWriteRequest::MaybeStorePingsForDownload(
   // TODO(https://crbug.com/996797): Integrate with DownloadFeedbackService.
 }
 
-bool CheckNativeFileSystemWriteRequest::ShouldUploadBinary(
+base::Optional<enterprise_connectors::AnalysisSettings>
+CheckNativeFileSystemWriteRequest::ShouldUploadBinary(
     DownloadCheckResultReason reason) {
-  return false;
+  return base::nullopt;
 }
 
 void CheckNativeFileSystemWriteRequest::UploadBinary(
-    DownloadCheckResultReason reason) {}
+    DownloadCheckResultReason reason,
+    enterprise_connectors::AnalysisSettings settings) {}
 
 bool CheckNativeFileSystemWriteRequest::ShouldPromptForDeepScanning(
     DownloadCheckResultReason reason) const {

chrome/browser/safe_browsing/download_protection/check_native_file_system_write_request.h

@@ -49,8 +49,10 @@ class CheckNativeFileSystemWriteRequest
                                   bool upload_requested,
                                   const std::string& request_data,
                                   const std::string& response_body) override;
-  bool ShouldUploadBinary(DownloadCheckResultReason reason) override;
-  void UploadBinary(DownloadCheckResultReason reason) override;
+  base::Optional<enterprise_connectors::AnalysisSettings> ShouldUploadBinary(
+      DownloadCheckResultReason reason) override;
+  void UploadBinary(DownloadCheckResultReason reason,
+                    enterprise_connectors::AnalysisSettings settings) override;
   bool ShouldPromptForDeepScanning(
       DownloadCheckResultReason reason) const override;
   void NotifyRequestFinished(DownloadCheckResult result,

chrome/browser/safe_browsing/download_protection/deep_scanning_request.cc

@@ -93,26 +93,16 @@ void DeepScanningClientResponseToDownloadCheckResult(
   *download_result = DownloadCheckResult::DEEP_SCANNED_SAFE;
 }
 
-bool ShouldUploadForDlpScanByPolicy(download::DownloadItem* item) {
-  if (!base::FeatureList::IsEnabled(kContentComplianceEnabled))
-    return false;
-
+bool ShouldUploadForDlpScanByLegacyPolicy() {
   int check_content_compliance = g_browser_process->local_state()->GetInteger(
       prefs::kCheckContentCompliance);
-  if (check_content_compliance !=
-          CheckContentComplianceValues::CHECK_DOWNLOADS &&
-      check_content_compliance !=
-          CheckContentComplianceValues::CHECK_UPLOADS_AND_DOWNLOADS)
-    return false;
-
-  return enterprise_connectors::ConnectorsManager::GetInstance()
-      ->MatchURLAgainstLegacyDlpPolicies(item->GetURL(), /*upload*/ false);
+  return (check_content_compliance ==
+              CheckContentComplianceValues::CHECK_DOWNLOADS ||
+          check_content_compliance ==
+              CheckContentComplianceValues::CHECK_UPLOADS_AND_DOWNLOADS);
 }
 
-bool ShouldUploadForMalwareScanByPolicy(download::DownloadItem* item) {
-  if (!base::FeatureList::IsEnabled(kMalwareScanEnabled))
-    return false;
-
+bool ShouldUploadForMalwareScanByLegacyPolicy(download::DownloadItem* item) {
   content::BrowserContext* browser_context =
       content::DownloadItemUtils::GetBrowserContext(item);
   if (!browser_context)
@@ -124,52 +114,72 @@ bool ShouldUploadForMalwareScanByPolicy(download::DownloadItem* item) {
 
   int send_files_for_malware_check = profile->GetPrefs()->GetInteger(
       prefs::kSafeBrowsingSendFilesForMalwareCheck);
-  if (send_files_for_malware_check !=
-          SendFilesForMalwareCheckValues::SEND_DOWNLOADS &&
-      send_files_for_malware_check !=
-          SendFilesForMalwareCheckValues::SEND_UPLOADS_AND_DOWNLOADS)
-    return false;
-
-  return enterprise_connectors::ConnectorsManager::GetInstance()
-      ->MatchURLAgainstLegacyMalwarePolicies(item->GetURL(), /*upload*/ false);
+  return (send_files_for_malware_check ==
+              SendFilesForMalwareCheckValues::SEND_DOWNLOADS ||
+          send_files_for_malware_check ==
+              SendFilesForMalwareCheckValues::SEND_UPLOADS_AND_DOWNLOADS);
 }
 
 }  // namespace
 
 /* static */
-bool DeepScanningRequest::ShouldUploadItemByPolicy(
-    download::DownloadItem* item) {
-  return ShouldUploadForDlpScanByPolicy(item) ||
-         ShouldUploadForMalwareScanByPolicy(item);
-}
+base::Optional<enterprise_connectors::AnalysisSettings>
+DeepScanningRequest::ShouldUploadBinary(download::DownloadItem* item) {
+  bool dlp_scan = base::FeatureList::IsEnabled(kContentComplianceEnabled);
+  bool malware_scan = base::FeatureList::IsEnabled(kMalwareScanEnabled);
+
+  // If neither DLP or malware scanning is enabled by features, don't perform
+  // scans.
+  if (!dlp_scan && !malware_scan)
+    return base::nullopt;
+
+  auto* connectors_manager =
+      enterprise_connectors::ConnectorsManager::GetInstance();
+
+  // If the settings arent't obtained by the FILE_DOWNLOADED connector, check
+  // the legacy DLP and Malware policies.
+  if (!connectors_manager->IsConnectorEnabled(
+          enterprise_connectors::AnalysisConnector::FILE_DOWNLOADED)) {
+    if (dlp_scan)
+      dlp_scan = ShouldUploadForDlpScanByLegacyPolicy();
+    if (malware_scan)
+      malware_scan = ShouldUploadForMalwareScanByLegacyPolicy(item);
+
+    if (!dlp_scan && !malware_scan)
+      return base::nullopt;
+  }
 
-/* static */
-std::vector<DeepScanningRequest::DeepScanType> DeepScanningRequest::AllScans() {
-  return {DeepScanType::SCAN_DLP, DeepScanType::SCAN_MALWARE};
-}
+  // Check that item->GetURL() matches the appropriate URL patterns by getting
+  // settings. No settings means no matches were found.
+  auto settings = connectors_manager->GetAnalysisSettings(
+      item->GetURL(),
+      enterprise_connectors::AnalysisConnector::FILE_DOWNLOADED);
 
-DeepScanningRequest::DeepScanningRequest(
-    download::DownloadItem* item,
-    DeepScanTrigger trigger,
-    CheckDownloadRepeatingCallback callback,
-    DownloadProtectionService* download_service)
-    : DeepScanningRequest(item,
-                          trigger,
-                          callback,
-                          download_service,
-                          DeepScanningRequest::AllScans()) {}
+  if (!settings.has_value())
+    return base::nullopt;
+
+  if (!dlp_scan)
+    settings.value().tags.erase("dlp");
+  if (!malware_scan)
+    settings.value().tags.erase("malware");
+
+  if (settings.value().tags.empty())
+    return base::nullopt;
+
+  return settings;
+}
 
 DeepScanningRequest::DeepScanningRequest(
     download::DownloadItem* item,
     DeepScanTrigger trigger,
     CheckDownloadRepeatingCallback callback,
     DownloadProtectionService* download_service,
-    std::vector<DeepScanType> allowed_scans)
+    enterprise_connectors::AnalysisSettings settings)
     : item_(item),
       trigger_(trigger),
       callback_(callback),
       download_service_(download_service),
-      allowed_scans_(allowed_scans),
+      analysis_settings_(std::move(settings)),
       weak_ptr_factory_(this) {
   item_->AddObserver(this);
 }
@@ -179,18 +189,6 @@ DeepScanningRequest::~DeepScanningRequest() {
 }
 
 void DeepScanningRequest::Start() {
-  auto settings =
-      enterprise_connectors::ConnectorsManager::GetInstance()
-          ->GetAnalysisSettings(
-              item_->GetURL(),
-              enterprise_connectors::AnalysisConnector::FILE_DOWNLOADED);
-  if (!settings.has_value()) {
-    OnScanComplete(BinaryUploadService::Result::SUCCESS,
-                   DeepScanningClientResponse());
-    return;
-  }
-  analysis_settings_ = std::move(settings.value());
-
   // Indicate we're now scanning the file.
   callback_.Run(DownloadCheckResult::ASYNC_SCANNING);
 
@@ -217,8 +215,8 @@ void DeepScanningRequest::Start() {
     policy::DMToken dm_token = GetDMToken(profile);
     request->set_dm_token(dm_token.value());
 
-    if (ShouldUploadForDlpScanByPolicy(item_) &&
-        ScanIsAllowed(DeepScanType::SCAN_DLP)) {
+    if (base::FeatureList::IsEnabled(kContentComplianceEnabled) &&
+        (analysis_settings_.tags.count("dlp") == 1)) {
       DlpDeepScanningClientRequest dlp_request;
       dlp_request.set_content_source(
           DlpDeepScanningClientRequest::FILE_DOWNLOAD);
@@ -228,8 +226,8 @@ void DeepScanningRequest::Start() {
       request->set_request_dlp_scan(std::move(dlp_request));
     }
 
-    if (ShouldUploadForMalwareScanByPolicy(item_) &&
-        ScanIsAllowed(DeepScanType::SCAN_MALWARE)) {
+    if (base::FeatureList::IsEnabled(kMalwareScanEnabled) &&
+        (analysis_settings_.tags.count("malware") == 1)) {
       MalwareDeepScanningClientRequest malware_request;
       malware_request.set_population(
           MalwareDeepScanningClientRequest::POPULATION_ENTERPRISE);
@@ -283,20 +281,14 @@ void DeepScanningRequest::OnScanComplete(BinaryUploadService::Result result,
   } else if (result == BinaryUploadService::Result::FILE_TOO_LARGE ||
              result == BinaryUploadService::Result::FILE_ENCRYPTED ||
              result == BinaryUploadService::Result::UNSUPPORTED_FILE_TYPE) {
-    auto settings =
-        enterprise_connectors::ConnectorsManager::GetInstance()
-            ->GetAnalysisSettings(
-                item_->GetURL(),
-                enterprise_connectors::AnalysisConnector::FILE_DOWNLOADED)
-            .value_or(enterprise_connectors::AnalysisSettings());
     if (result == BinaryUploadService::Result::FILE_TOO_LARGE) {
-      if (settings.block_large_files)
+      if (analysis_settings_.block_large_files)
         download_result = DownloadCheckResult::BLOCKED_TOO_LARGE;
     } else if (result == BinaryUploadService::Result::FILE_ENCRYPTED) {
-      if (settings.block_password_protected_files)
+      if (analysis_settings_.block_password_protected_files)
         download_result = DownloadCheckResult::BLOCKED_PASSWORD_PROTECTED;
     } else if (result == BinaryUploadService::Result::UNSUPPORTED_FILE_TYPE) {
-      if (settings.block_unsupported_file_types)
+      if (analysis_settings_.block_unsupported_file_types)
         download_result = DownloadCheckResult::BLOCKED_UNSUPPORTED_FILE_TYPE;
     }
   }
@@ -342,8 +334,4 @@ void DeepScanningRequest::OpenDownload() {
   FinishRequest(DownloadCheckResult::UNKNOWN);
 }
 
-bool DeepScanningRequest::ScanIsAllowed(DeepScanType scan) {
-  return base::Contains(allowed_scans_, scan);
-}
-
 }  // namespace safe_browsing

chrome/browser/safe_browsing/download_protection/deep_scanning_request.h

@@ -36,37 +36,20 @@ class DeepScanningRequest : public download::DownloadItem::Observer {
     TRIGGER_POLICY,
   };
 
-  // Enum representing the possible scans for a deep scanning request.
-  enum class DeepScanType {
-    // Scan for malware
-    SCAN_MALWARE,
-
-    // Scan for DLP policy violations
-    SCAN_DLP,
-  };
-
   // Checks the current policies to determine whether files must be uploaded by
-  // policy.
-  static bool ShouldUploadItemByPolicy(download::DownloadItem* item);
-
-  // Returns all scans supported.
-  static std::vector<DeepScanType> AllScans();
+  // policy. Returns the settings to apply to this analysis if it should happen
+  // or base::nullopt if no analysis should happen.
+  static base::Optional<enterprise_connectors::AnalysisSettings>
+  ShouldUploadBinary(download::DownloadItem* item);
 
   // Scan the given |item|, with the given |trigger|. The result of the scanning
   // will be provided through |callback|. Take references to the owning
   // |download_service| and the |binary_upload_service| to upload to.
-  DeepScanningRequest(download::DownloadItem* item,
-                      DeepScanTrigger trigger,
-                      CheckDownloadRepeatingCallback callback,
-                      DownloadProtectionService* download_service);
-
-  // Same as the previous constructor, but only allowing the scans listed in
-  // |allowed_scans| to run.
   DeepScanningRequest(download::DownloadItem* item,
                       DeepScanTrigger trigger,
                       CheckDownloadRepeatingCallback callback,
                       DownloadProtectionService* download_service,
-                      std::vector<DeepScanType> allowed_scans);
+                      enterprise_connectors::AnalysisSettings settings);
 
   ~DeepScanningRequest() override;
 
@@ -94,9 +77,6 @@ class DeepScanningRequest : public download::DownloadItem::Observer {
   // Called to open the download. This is triggered by the timeout modal dialog.
   void OpenDownload();
 
-  // Whether the given |scan| is in the list of |allowed_scans_|.
-  bool ScanIsAllowed(DeepScanType scan);
-
   // The download item to scan. This is unowned, and could become nullptr if the
   // download is destroyed.
   download::DownloadItem* item_;
@@ -111,9 +91,6 @@ class DeepScanningRequest : public download::DownloadItem::Observer {
   // |download_service_| owns this class.
   DownloadProtectionService* download_service_;
 
-  // The scans allowed to be performed.
-  std::vector<DeepScanType> allowed_scans_;
-
   // The time when uploading starts.
   base::TimeTicks upload_start_time_;
 

chrome/browser/safe_browsing/download_protection/download_protection_service.cc

@@ -14,6 +14,7 @@
 #include "base/task/task_traits.h"
 #include "base/task/thread_pool.h"
 #include "chrome/browser/browser_process.h"
+#include "chrome/browser/enterprise/connectors/connectors_manager.h"
 #include "chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router.h"
 #include "chrome/browser/extensions/api/safe_browsing_private/safe_browsing_private_event_router_factory.h"
 #include "chrome/browser/profiles/profile.h"
@@ -181,18 +182,17 @@ bool DownloadProtectionService::MaybeCheckClientDownload(
       content::DownloadItemUtils::GetBrowserContext(item));
   bool safe_browsing_enabled =
       profile && IsSafeBrowsingEnabled(*profile->GetPrefs());
-  bool deep_scanning_enabled =
-      DeepScanningRequest::ShouldUploadItemByPolicy(item);
 
   if (safe_browsing_enabled) {
     CheckClientDownload(item, std::move(callback));
     return true;
   }
 
-  if (deep_scanning_enabled) {
+  auto settings = DeepScanningRequest::ShouldUploadBinary(item);
+  if (settings.has_value()) {
     UploadForDeepScanning(item, std::move(callback),
                           DeepScanningRequest::DeepScanTrigger::TRIGGER_POLICY,
-                          DeepScanningRequest::AllScans());
+                          std::move(settings.value()));
     return true;
   }
 
@@ -579,10 +579,10 @@ void DownloadProtectionService::UploadForDeepScanning(
     download::DownloadItem* item,
     CheckDownloadRepeatingCallback callback,
     DeepScanningRequest::DeepScanTrigger trigger,
-    std::vector<DeepScanningRequest::DeepScanType> allowed_scans) {
+    enterprise_connectors::AnalysisSettings analysis_settings) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
-  auto request = std::make_unique<DeepScanningRequest>(item, trigger, callback,
-                                                       this, allowed_scans);
+  auto request = std::make_unique<DeepScanningRequest>(
+      item, trigger, callback, this, std::move(analysis_settings));
   DeepScanningRequest* request_raw = request.get();
   auto insertion_result = deep_scanning_requests_.insert(
       std::make_pair(request_raw, std::move(request)));

chrome/browser/safe_browsing/download_protection/download_protection_service.h

@@ -25,6 +25,7 @@
 #include "base/memory/weak_ptr.h"
 #include "base/supports_user_data.h"
 #include "chrome/browser/download/download_commands.h"
+#include "chrome/browser/enterprise/connectors/common.h"
 #include "chrome/browser/safe_browsing/cloud_content_scanning/binary_upload_service.h"
 #include "chrome/browser/safe_browsing/download_protection/deep_scanning_request.h"
 #include "chrome/browser/safe_browsing/download_protection/download_protection_util.h"
@@ -200,7 +201,7 @@ class DownloadProtectionService {
       download::DownloadItem* item,
       CheckDownloadRepeatingCallback callback,
       DeepScanningRequest::DeepScanTrigger trigger,
-      std::vector<DeepScanningRequest::DeepScanType> allowed_scans);
+      enterprise_connectors::AnalysisSettings analysis_settings);
 
   scoped_refptr<network::SharedURLLoaderFactory> GetURLLoaderFactory(
       content::BrowserContext* browser_context);