Use force-installed extensions permissions to decide login disclosure string

There are 2 warnings can be displayed on the login screen for the managed guest session based on the force-install extensions list. Currently the message is selected based on a static list of white-listed extensions IDs. This behaviour is extended to decide the warning message based on the extensions permissions if the extensions ID is not white-listed. The local state file is updated accordingly, and the default value for the first time is to display the complete warning message. The current behaviour for displaying the login screen warnings won't be switched now to this new behaviour. This will be made in a separate cl. Bug: 1015378 Change-Id: Ic339e5480794e3c3d084f4290f6faa3ac6e3045e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1960281 Commit-Queue: Aya Elsayed <ayaelattar@google.com> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Sergey Poromov <poromov@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Cr-Commit-Position: refs/heads/master@{#747028}

Use force-installed extensions permissions to decide login disclosure string
There are 2 warnings can be displayed on the login screen for the managed guest session based on the force-install extensions list. Currently the message is selected based on a static list of white-listed extensions IDs. This behaviour is extended to decide the warning message based on the extensions permissions if the extensions ID is not white-listed. The local state file is updated accordingly, and the default value for the first time is to display the complete warning message. The current behaviour for displaying the login screen warnings won't be switched now to this new behaviour. This will be made in a separate cl. Bug: 1015378 Change-Id: Ic339e5480794e3c3d084f4290f6faa3ac6e3045e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1960281 Commit-Queue: Aya Elsayed <ayaelattar@google.com> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Sergey Poromov <poromov@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Cr-Commit-Position: refs/heads/master@{#747028}
b4f7a5f0 · Aya ElAttar · Commit Bot · 2b3d19ca · b4f7a5f0 · b4f7a5f0
Commit b4f7a5f0 authored Mar 05, 2020 by Aya ElAttar Committed by Commit Bot Mar 05, 2020
11 changed files
--- a/chrome/browser/chromeos/BUILD.gn
+++ b/chrome/browser/chromeos/BUILD.gn
@@ -1005,6 +1005,8 @@ source_set("chromeos") {
    "extensions/dictionary_event_router.h",
    "extensions/extension_tab_util_delegate_chromeos.cc",
    "extensions/extension_tab_util_delegate_chromeos.h",
+    "extensions/extensions_permissions_tracker.cc",
+    "extensions/extensions_permissions_tracker.h",
    "extensions/external_cache.cc",
    "extensions/external_cache.h",
    "extensions/external_cache_delegate.h",

--- a/chrome/browser/chromeos/extensions/device_local_account_management_policy_provider.h
+++ b/chrome/browser/chromeos/extensions/device_local_account_management_policy_provider.h
@@ -12,6 +12,9 @@
 #include "chrome/browser/chromeos/policy/device_local_account.h"
 #include "extensions/browser/management_policy.h"

+// TODO(crbug.com/1033508): Refactor this class, because the behavior of
+// IsWhitelisted, and UserMayLoad are no longer used.
+
 namespace chromeos {

 // A managed policy for device-local accounts that ensures only extensions whose

--- a/chrome/browser/chromeos/extensions/extensions_permissions_tracker.cc
+++ b/chrome/browser/chromeos/extensions/extensions_permissions_tracker.cc
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/extensions/extensions_permissions_tracker.h"
+
+#include "base/stl_util.h"
+#include "chrome/browser/browser_process.h"
+#include "chrome/browser/chromeos/policy/device_local_account.h"
+#include "chrome/browser/chromeos/profiles/profile_helper.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/common/pref_names.h"
+#include "chromeos/login/login_state/login_state.h"
+#include "components/prefs/pref_registry_simple.h"
+#include "components/prefs/pref_service.h"
+#include "extensions/browser/device_local_account_util.h"
+#include "extensions/browser/pref_names.h"
+#include "extensions/common/permissions/api_permission.h"
+#include "extensions/common/permissions/manifest_permission_set.h"
+#include "extensions/common/permissions/permission_set.h"
+#include "extensions/common/permissions/permissions_data.h"
+
+namespace extensions {
+
+ExtensionsPermissionsTracker::ExtensionsPermissionsTracker(
+    ExtensionRegistry* registry,
+    content::BrowserContext* browser_context)
+    : registry_(registry),
+      pref_service_(Profile::FromBrowserContext(browser_context)->GetPrefs()) {
+  observer_.Add(registry_);
+  pref_change_registrar_.Init(pref_service_);
+  pref_change_registrar_.Add(
+      pref_names::kInstallForceList,
+      base::BindRepeating(
+          &ExtensionsPermissionsTracker::OnForcedExtensionsPrefChanged,
+          base::Unretained(
+              this)));  // Safe as ExtensionsPermissionsTracker
+                        // owns pref_change_registrar_ & outlives it
+  // Try to load list now.
+  OnForcedExtensionsPrefChanged();
+}
+
+ExtensionsPermissionsTracker::~ExtensionsPermissionsTracker() = default;
+
+void ExtensionsPermissionsTracker::OnForcedExtensionsPrefChanged() {
+  // TODO(crbug.com/1015378): handle pref_names::kExtensionManagement with
+  // installation_mode: forced.
+  const base::Value* value = pref_service_->Get(pref_names::kInstallForceList);
+  if (!value || value->type() != base::Value::Type::DICTIONARY) {
+    return;
+  }
+
+  extension_safety_ratings_.clear();
+  pending_forced_extensions_.clear();
+
+  for (const auto& entry : value->DictItems()) {
+    const ExtensionId& extension_id = entry.first;
+    // By default the extension permissions are assumed to trigger full warning
+    // (false). When the extension is loaded, if all of its permissions is safe,
+    // it'll be marked safe (true)
+    extension_safety_ratings_.insert(make_pair(extension_id, false));
+    const Extension* extension =
+        registry_->GetExtensionById(extension_id, ExtensionRegistry::ENABLED);
+    if (extension)
+      ParseExtensionPermissions(extension);
+    else
+      pending_forced_extensions_.insert(extension_id);
+  }
+  if (pending_forced_extensions_.empty())
+    UpdateLocalState();
+}
+
+bool ExtensionsPermissionsTracker::IsSafePerms(
+    const PermissionsData* perms_data) const {
+  APIPermissionSet api_permissions =
+      perms_data->active_permissions().apis().Clone();
+  for (auto* permission : api_permissions) {
+    if (!permission->info()->requires_managed_session_full_login_warning()) {
+      return false;
+    }
+  }
+  ManifestPermissionSet manifest_permissions =
+      perms_data->active_permissions().manifest_permissions().Clone();
+  for (const auto* permission : manifest_permissions) {
+    if (!permission->RequiresManagedSessionFullLoginWarning()) {
+      return false;
+    }
+  }
+  return true;
+}
+
+void ExtensionsPermissionsTracker::OnExtensionLoaded(
+    content::BrowserContext* browser_context,
+    const Extension* extension) {
+  auto itr = extension_safety_ratings_.find(extension->id());
+  if (itr == extension_safety_ratings_.end())
+    return;
+  pending_forced_extensions_.erase(extension->id());
+
+  ParseExtensionPermissions(extension);
+
+  // If the extension isn't safe or all extensions are loaded, update the local
+  // state.
+  if (!itr->second || pending_forced_extensions_.empty())
+    UpdateLocalState();
+}
+
+void ExtensionsPermissionsTracker::UpdateLocalState() {
+  bool any_unsafe = std::any_of(
+      extension_safety_ratings_.begin(), extension_safety_ratings_.end(),
+      [](const auto& key_value) { return !key_value.second; });
+
+  DCHECK(pending_forced_extensions_.empty() || any_unsafe);
+
+  g_browser_process->local_state()->SetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning, any_unsafe);
+}
+
+// static
+void ExtensionsPermissionsTracker::RegisterLocalStatePrefs(
+    PrefRegistrySimple* registry) {
+  registry->RegisterBooleanPref(prefs::kManagedSessionUseFullLoginWarning,
+                                true);
+}
+
+void ExtensionsPermissionsTracker::ParseExtensionPermissions(
+    const Extension* extension) {
+  bool is_safe = IsWhitelistedForPublicSession(extension->id()) ||
+                 IsSafePerms(extension->permissions_data());
+
+  extension_safety_ratings_[extension->id()] = is_safe;
+}
+
+}  // namespace extensions
--- a/chrome/browser/chromeos/extensions/extensions_permissions_tracker.h
+++ b/chrome/browser/chromeos/extensions/extensions_permissions_tracker.h
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_EXTENSIONS_EXTENSIONS_PERMISSIONS_TRACKER_H_
+#define CHROME_BROWSER_CHROMEOS_EXTENSIONS_EXTENSIONS_PERMISSIONS_TRACKER_H_
+
+#include "base/scoped_observer.h"
+#include "components/prefs/pref_change_registrar.h"
+#include "components/prefs/pref_registry_simple.h"
+#include "extensions/browser/extension_registry.h"
+#include "extensions/browser/extension_registry_observer.h"
+#include "extensions/common/extension.h"
+
+namespace content {
+class BrowserContext;
+}
+
+namespace extensions {
+
+// Used to track the installation of the force-installed extensions of the
+// managed-guest session to decide whether the permissions of the extensions
+// should trigger the full warning on the login screen or not. The result is
+// saved in the local state perf, and the login screen warning of the managed
+// guest session is updated accordingly. ExtensionSystemImpl owns this class and
+// outlives it.
+class ExtensionsPermissionsTracker : public ExtensionRegistryObserver {
+ public:
+  ExtensionsPermissionsTracker(ExtensionRegistry* registry,
+                               content::BrowserContext* browser_context);
+  ExtensionsPermissionsTracker(const ExtensionsPermissionsTracker&) = delete;
+  ExtensionsPermissionsTracker& operator=(const ExtensionsPermissionsTracker&) =
+      delete;
+  ~ExtensionsPermissionsTracker() override;
+
+  static void RegisterLocalStatePrefs(PrefRegistrySimple* registry);
+
+  // ExtensionRegistryObserver overrides:
+  void OnExtensionLoaded(content::BrowserContext* browser_context,
+                         const Extension* extension) override;
+
+ protected:
+  virtual bool IsSafePerms(const PermissionsData* perms_data) const;
+
+ private:
+  // Loads list of force-installed extensions if it's available.
+  void OnForcedExtensionsPrefChanged();
+
+  void UpdateLocalState();
+  void ParseExtensionPermissions(const Extension* extension);
+
+  // Unowned, but guaranteed to outlive this object.
+  ExtensionRegistry* registry_;
+
+  // Unowned, but guaranteed to outlive this object.
+  PrefService* pref_service_;
+
+  PrefChangeRegistrar pref_change_registrar_;
+
+  // // Whether the extension is considered "safe". If any extension is not, it
+  // will result in the full warning being shown on the login screen.
+  std::map<ExtensionId, bool> extension_safety_ratings_;
+
+  // Set of not yet loaded force installed extensions.
+  std::set<ExtensionId> pending_forced_extensions_;
+
+  ScopedObserver<ExtensionRegistry, ExtensionRegistryObserver> observer_{this};
+};
+
+}  // namespace extensions
+
+#endif  // CHROME_BROWSER_CHROMEOS_EXTENSIONS_EXTENSIONS_PERMISSIONS_TRACKER_H_
--- a/chrome/browser/chromeos/extensions/extensions_permissions_tracker_unittest.cc
+++ b/chrome/browser/chromeos/extensions/extensions_permissions_tracker_unittest.cc
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/extensions/extensions_permissions_tracker.h"
+
+#include "base/stl_util.h"
+#include "chrome/browser/browser_process.h"
+#include "chrome/browser/chromeos/login/users/fake_chrome_user_manager.h"
+#include "chrome/browser/chromeos/profiles/profile_helper.h"
+#include "chrome/common/pref_names.h"
+#include "chrome/test/base/scoped_testing_local_state.h"
+#include "chrome/test/base/testing_browser_process.h"
+#include "chrome/test/base/testing_profile.h"
+#include "chromeos/login/login_state/scoped_test_public_session_login_state.h"
+#include "components/sync_preferences/testing_pref_service_syncable.h"
+#include "content/public/test/browser_task_environment.h"
+#include "extensions/browser/pref_names.h"
+#include "extensions/common/extension_builder.h"
+#include "extensions/common/permissions/permissions_data.h"
+#include "extensions/common/value_builder.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+using ::testing::_;
+using ::testing::Return;
+
+namespace extensions {
+
+namespace {
+constexpr char kExtensionId1[] = "id1";
+constexpr char kExtensionId2[] = "id2";
+constexpr char kExtensionId3[] = "id3";
+constexpr char kExtensionUrl1[] = "url1";
+constexpr char kExtensionUrl2[] = "url2";
+constexpr char kExtensionUrl3[] = "url3";
+const char* const kSafePermissionsSet1[] = {"accessibilityFeatures.modify",
+                                            "accessibilityFeatures.read"};
+
+const char* const kSafePermissionsSet2[] = {"background", "alarms"};
+
+const char* const kUnsafePermissionsSet1[] = {"debugger", "history", "input"};
+
+const char* const kUnsafePermissionsSet2[] = {"topSites", "ttsEngine",
+                                              "webNavigation"};
+}  // namespace
+
+class MockExtensionsPermissionsTracker : public ExtensionsPermissionsTracker {
+ public:
+  MockExtensionsPermissionsTracker(ExtensionRegistry* registry,
+                                   content::BrowserContext* browser_context)
+      : ExtensionsPermissionsTracker(registry, browser_context) {
+    safe_permissions_.insert(
+        kSafePermissionsSet1,
+        kSafePermissionsSet1 + base::size(kSafePermissionsSet1));
+    safe_permissions_.insert(
+        kSafePermissionsSet2,
+        kSafePermissionsSet2 + base::size(kSafePermissionsSet2));
+  }
+
+  // ExtensionsPermissionsTracker:
+  bool IsSafePerms(const PermissionsData* perms_data) const override {
+    std::set<std::string> perms_strings =
+        perms_data->active_permissions().GetAPIsAsStrings();
+    for (const auto& perm : perms_strings) {
+      if (safe_permissions_.find(perm) == safe_permissions_.end())
+        return false;
+    }
+    return true;
+  }
+
+ private:
+  std::set<std::string> safe_permissions_;
+};
+
+class ExtensionsPermissionsTrackerTest : public testing::Test {
+ public:
+  ExtensionsPermissionsTrackerTest()
+      : prefs_(profile_.GetTestingPrefService()),
+        registry_(ExtensionRegistry::Get(&profile_)),
+        testing_local_state_(TestingBrowserProcess::GetGlobal()) {}
+
+  base::Value SetupForceList() {
+    base::Value dict(base::Value::Type::DICTIONARY);
+    dict.SetKey(kExtensionId1, base::Value(kExtensionUrl1));
+    dict.SetKey(kExtensionId2, base::Value(kExtensionUrl2));
+    prefs_->SetManagedPref(pref_names::kInstallForceList,
+                           base::Value::ToUniquePtrValue(dict.Clone()));
+    return dict;
+  }
+
+  void SetupEmptyForceList() {
+    std::unique_ptr<base::Value> dict =
+        std::make_unique<base::DictionaryValue>();
+    prefs_->SetManagedPref(pref_names::kInstallForceList, std::move(dict));
+  }
+
+  void CreateExtensionsPermissionsTracker() {
+    permissions_tracker_ = std::make_unique<MockExtensionsPermissionsTracker>(
+        registry_, &profile_);
+  }
+
+  void AddExtensionWithIdAndPermissions(
+      const std::string& extension_id,
+      const std::vector<std::string>& permissions) {
+    auto extension = ExtensionBuilder(extension_id)
+                         .SetID(extension_id)
+                         .AddPermissions(permissions)
+                         .Build();
+    registry_->AddEnabled(extension);
+
+    registry_->TriggerOnLoaded(extension.get());
+  }
+
+ protected:
+  content::BrowserTaskEnvironment task_environment_;
+  TestingProfile profile_;
+  sync_preferences::TestingPrefServiceSyncable* prefs_;
+  ExtensionRegistry* registry_;
+  ScopedTestingLocalState testing_local_state_;
+  std::unique_ptr<MockExtensionsPermissionsTracker> permissions_tracker_;
+
+  DISALLOW_COPY_AND_ASSIGN(ExtensionsPermissionsTrackerTest);
+};
+
+TEST_F(ExtensionsPermissionsTrackerTest, EmptyForceList) {
+  EXPECT_TRUE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+
+  SetupEmptyForceList();
+  CreateExtensionsPermissionsTracker();
+
+  EXPECT_FALSE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+}
+
+TEST_F(ExtensionsPermissionsTrackerTest, SafeForceListInstalled) {
+  EXPECT_TRUE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+
+  SetupForceList();
+  CreateExtensionsPermissionsTracker();
+
+  std::vector<std::string> v1(
+      kSafePermissionsSet1,
+      kSafePermissionsSet1 + base::size(kSafePermissionsSet1));
+  AddExtensionWithIdAndPermissions(kExtensionId1, v1);
+
+  std::vector<std::string> v2(
+      kSafePermissionsSet2,
+      kSafePermissionsSet2 + base::size(kSafePermissionsSet2));
+  AddExtensionWithIdAndPermissions(kExtensionId2, v2);
+
+  EXPECT_FALSE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+}
+
+TEST_F(ExtensionsPermissionsTrackerTest, UnsafeForceListInstalled) {
+  SetupForceList();
+  CreateExtensionsPermissionsTracker();
+
+  std::vector<std::string> v1(
+      kUnsafePermissionsSet1,
+      kUnsafePermissionsSet1 + base::size(kUnsafePermissionsSet1));
+
+  std::vector<std::string> v2(
+      kUnsafePermissionsSet2,
+      kUnsafePermissionsSet2 + base::size(kUnsafePermissionsSet2));
+
+  AddExtensionWithIdAndPermissions(kExtensionId1, v1);
+  AddExtensionWithIdAndPermissions(kExtensionId2, v2);
+
+  EXPECT_TRUE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+}
+
+TEST_F(ExtensionsPermissionsTrackerTest, MixedForceListInstalled) {
+  SetupForceList();
+  CreateExtensionsPermissionsTracker();
+
+  std::vector<std::string> v1(
+      kUnsafePermissionsSet1,
+      kUnsafePermissionsSet1 + base::size(kUnsafePermissionsSet1));
+  AddExtensionWithIdAndPermissions(kExtensionId1, v1);
+
+  std::vector<std::string> v2(
+      kSafePermissionsSet2,
+      kSafePermissionsSet2 + base::size(kSafePermissionsSet2));
+  AddExtensionWithIdAndPermissions(kExtensionId2, v2);
+
+  EXPECT_TRUE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+}
+
+TEST_F(ExtensionsPermissionsTrackerTest, ForceListIncreased) {
+  auto dict = SetupForceList();
+  CreateExtensionsPermissionsTracker();
+
+  std::vector<std::string> v1(
+      kSafePermissionsSet1,
+      kSafePermissionsSet1 + base::size(kSafePermissionsSet1));
+  AddExtensionWithIdAndPermissions(kExtensionId1, v1);
+
+  std::vector<std::string> v2(
+      kSafePermissionsSet2,
+      kSafePermissionsSet2 + base::size(kSafePermissionsSet2));
+  AddExtensionWithIdAndPermissions(kExtensionId2, v2);
+
+  EXPECT_FALSE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+
+  dict.SetKey(kExtensionId3, base::Value(kExtensionUrl3));
+  prefs_->SetManagedPref(pref_names::kInstallForceList,
+                         base::Value::ToUniquePtrValue(std::move(dict)));
+
+  std::vector<std::string> v3(
+      kUnsafePermissionsSet1,
+      kUnsafePermissionsSet1 + base::size(kUnsafePermissionsSet1));
+  AddExtensionWithIdAndPermissions(kExtensionId3, v3);
+
+  EXPECT_TRUE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+}
+
+TEST_F(ExtensionsPermissionsTrackerTest, ForceListDecreased) {
+  auto dict = SetupForceList();
+  CreateExtensionsPermissionsTracker();
+
+  std::vector<std::string> v1(
+      kUnsafePermissionsSet1,
+      kUnsafePermissionsSet1 + base::size(kUnsafePermissionsSet1));
+  AddExtensionWithIdAndPermissions(kExtensionId1, v1);
+
+  std::vector<std::string> v2(
+      kSafePermissionsSet2,
+      kSafePermissionsSet2 + base::size(kSafePermissionsSet2));
+  AddExtensionWithIdAndPermissions(kExtensionId2, v2);
+
+  EXPECT_TRUE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+
+  dict.RemoveKey(kExtensionId1);
+  prefs_->SetManagedPref(pref_names::kInstallForceList,
+                         base::Value::ToUniquePtrValue(std::move(dict)));
+  EXPECT_FALSE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+}
+
+TEST_F(ExtensionsPermissionsTrackerTest, SafePendingExtensions) {
+  auto dict = SetupForceList();
+  CreateExtensionsPermissionsTracker();
+
+  std::vector<std::string> v1(
+      kSafePermissionsSet1,
+      kSafePermissionsSet1 + base::size(kSafePermissionsSet1));
+  AddExtensionWithIdAndPermissions(kExtensionId1, v1);
+
+  EXPECT_TRUE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+
+  std::vector<std::string> v2(
+      kSafePermissionsSet2,
+      kSafePermissionsSet2 + base::size(kSafePermissionsSet2));
+  AddExtensionWithIdAndPermissions(kExtensionId2, v2);
+
+  EXPECT_FALSE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+}
+
+TEST_F(ExtensionsPermissionsTrackerTest, UnsafePendingExtensions) {
+  auto dict = SetupForceList();
+  CreateExtensionsPermissionsTracker();
+
+  std::vector<std::string> v1(
+      kSafePermissionsSet1,
+      kSafePermissionsSet1 + base::size(kSafePermissionsSet1));
+  AddExtensionWithIdAndPermissions(kExtensionId1, v1);
+
+  EXPECT_TRUE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+
+  std::vector<std::string> v2(
+      kUnsafePermissionsSet1,
+      kUnsafePermissionsSet1 + base::size(kUnsafePermissionsSet1));
+  AddExtensionWithIdAndPermissions(kExtensionId2, v2);
+
+  EXPECT_TRUE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+}
+
+TEST_F(ExtensionsPermissionsTrackerTest, UnsafeForceListChanged) {
+  auto dict = SetupForceList();
+  CreateExtensionsPermissionsTracker();
+
+  std::vector<std::string> v1(
+      kSafePermissionsSet1,
+      kSafePermissionsSet1 + base::size(kSafePermissionsSet1));
+  AddExtensionWithIdAndPermissions(kExtensionId1, v1);
+
+  std::vector<std::string> v2(
+      kUnsafePermissionsSet1,
+      kUnsafePermissionsSet1 + base::size(kUnsafePermissionsSet1));
+  AddExtensionWithIdAndPermissions(kExtensionId2, v2);
+
+  EXPECT_TRUE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+
+  dict.RemoveKey(kExtensionId1);
+  prefs_->SetManagedPref(pref_names::kInstallForceList,
+                         base::Value::ToUniquePtrValue(std::move(dict)));
+
+  EXPECT_TRUE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+
+  dict.RemoveKey(kExtensionId2);
+  prefs_->SetManagedPref(pref_names::kInstallForceList,
+                         base::Value::ToUniquePtrValue(std::move(dict)));
+
+  EXPECT_FALSE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+}
+
+TEST_F(ExtensionsPermissionsTrackerTest, OtherExtensionsLoaded) {
+  auto dict = SetupForceList();
+  CreateExtensionsPermissionsTracker();
+
+  std::vector<std::string> v1(
+      kSafePermissionsSet1,
+      kSafePermissionsSet1 + base::size(kSafePermissionsSet1));
+  AddExtensionWithIdAndPermissions(kExtensionId1, v1);
+
+  std::vector<std::string> v2(
+      kSafePermissionsSet1,
+      kSafePermissionsSet1 + base::size(kSafePermissionsSet1));
+  AddExtensionWithIdAndPermissions(kExtensionId2, v2);
+
+  std::vector<std::string> v3(
+      kUnsafePermissionsSet1,
+      kUnsafePermissionsSet1 + base::size(kUnsafePermissionsSet1));
+  AddExtensionWithIdAndPermissions(kExtensionId3, v3);
+
+  EXPECT_FALSE(testing_local_state_.Get()->GetBoolean(
+      prefs::kManagedSessionUseFullLoginWarning));
+}
+
+}  // namespace extensions
--- a/chrome/browser/extensions/extension_system_impl.cc
+++ b/chrome/browser/extensions/extension_system_impl.cc
@@ -68,6 +68,7 @@
 #include "chrome/browser/app_mode/app_mode_utils.h"
 #include "chrome/browser/chromeos/app_mode/kiosk_app_update_install_gate.h"
 #include "chrome/browser/chromeos/extensions/device_local_account_management_policy_provider.h"
+#include "chrome/browser/chromeos/extensions/extensions_permissions_tracker.h"
 #include "chrome/browser/chromeos/extensions/signin_screen_policy_provider.h"
 #include "chrome/browser/chromeos/policy/device_local_account.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
@@ -237,6 +238,19 @@ void ExtensionSystemImpl::Shared::Init(bool extensions_enabled) {
 #if defined(OS_CHROMEOS)
    if (chromeos::ProfileHelper::IsLockScreenAppProfile(profile_))
      info_map()->SetIsLockScreenContext(true);
+
+    // This class is used to check the permissions of the force-installed
+    // extensions inside the managed-guest session. It updates the local state
+    // perf with the result, a boolean value deciding whether the full warning
+    // or the normal one should be displayed. The next time on the login screen
+    // of the managed-guest sessions the warning will be decided according to
+    // the value saved from the last session.
+    if (chromeos::LoginState::IsInitialized() &&
+        chromeos::LoginState::Get()->IsPublicSessionUser() &&
+        !chromeos::LoginState::Get()->ArePublicSessionRestrictionsEnabled()) {
+      extensions_permissions_tracker_.reset(new ExtensionsPermissionsTracker(
+          ExtensionRegistry::Get(profile_), profile_));
+    }
 #endif
    management_policy_.reset(new ManagementPolicy);
    RegisterManagementPolicyProviders();

--- a/chrome/browser/extensions/extension_system_impl.h
+++ b/chrome/browser/extensions/extension_system_impl.h
@@ -31,6 +31,7 @@ class UninstallPingSender;
 class InstallGate;
 class ValueStoreFactory;
 class ValueStoreFactoryImpl;
+class ExtensionsPermissionsTracker;

 // The ExtensionSystem for ProfileImpl and OffTheRecordProfileImpl.
 // Implementation details: non-shared services are owned by
@@ -151,6 +152,8 @@ class ExtensionSystemImpl : public ExtensionSystem {
    std::unique_ptr<chromeos::SigninScreenPolicyProvider>
        signin_screen_policy_provider_;
    std::unique_ptr<InstallGate> kiosk_app_update_install_gate_;
+    std::unique_ptr<ExtensionsPermissionsTracker>
+        extensions_permissions_tracker_;
 #endif

    base::OneShotEvent ready_;

--- a/chrome/browser/prefs/browser_prefs.cc
+++ b/chrome/browser/prefs/browser_prefs.cc
@@ -169,6 +169,7 @@
 #include "extensions/browser/api/runtime/runtime_api.h"
 #include "extensions/browser/extension_prefs.h"
 #if defined(OS_CHROMEOS)
+#include "chrome/browser/chromeos/extensions/extensions_permissions_tracker.h"
 #include "chrome/browser/chromeos/guest_os/guest_os_share_path.h"
 #include "chrome/browser/chromeos/kerberos/kerberos_credentials_manager.h"
 #include "chrome/browser/chromeos/login/easy_unlock/easy_unlock_service.h"
@@ -744,6 +745,7 @@ void RegisterLocalState(PrefRegistrySimple* registry) {
  component_updater::MetadataTable::RegisterPrefs(registry);
  cryptauth::CryptAuthDeviceIdProviderImpl::RegisterLocalPrefs(registry);
  extensions::ExtensionAssetsManagerChromeOS::RegisterPrefs(registry);
+  extensions::ExtensionsPermissionsTracker::RegisterLocalStatePrefs(registry);
  extensions::lock_screen_data::LockScreenItemStorage::RegisterLocalState(
      registry);
  extensions::login_api::RegisterLocalStatePrefs(registry);

--- a/chrome/common/pref_names.cc
+++ b/chrome/common/pref_names.cc
@@ -891,6 +891,14 @@ const char kNetworkFileSharesAllowed[] = "network_file_shares.allowed";
 // session" mode which has lifted restrictions (true).
 const char kManagedSessionEnabled[] = "managed_session.enabled";

+// Boolean pref indicating whether the message displayed on the login screen for
+// the managed guest session should be the full warning or not.
+// True means the full warning should be displayed.
+// False means the normal warning should be displayed.
+// It's true by default, unless it's ensured that all extensions are "safe".
+const char kManagedSessionUseFullLoginWarning[] =
+    "managed_session.use_full_warning";
+
 // Boolean pref indicating whether the user has previously dismissed the
 // one-time notification indicating the need for a cleanup powerwash after TPM
 // firmware update that didn't flush the TPM SRK.

--- a/chrome/common/pref_names.h
+++ b/chrome/common/pref_names.h
@@ -295,6 +295,7 @@ extern const char kScreenTimeLastState[];
 extern const char kEnableSyncConsent[];
 extern const char kNetworkFileSharesAllowed[];
 extern const char kManagedSessionEnabled[];
+extern const char kManagedSessionUseFullLoginWarning[];
 extern const char kTPMFirmwareUpdateCleanupDismissed[];
 extern const char kTPMUpdatePlannedNotificationShownTime[];
 extern const char kTPMUpdateOnNextRebootNotificationShown[];

--- a/chrome/test/BUILD.gn
+++ b/chrome/test/BUILD.gn
@@ -4894,6 +4894,7 @@ test("unit_tests") {
    }
    if (is_chromeos) {
      sources += [
+        "../browser/chromeos/extensions/extensions_permissions_tracker_unittest.cc",
        "../browser/chromeos/login/easy_unlock/easy_unlock_auth_attempt_unittest.cc",
        "../browser/chromeos/login/easy_unlock/easy_unlock_notification_controller_chromeos_unittest.cc",
        "../browser/chromeos/login/easy_unlock/easy_unlock_screenlock_state_handler_unittest.cc",