Enable policy fetching for CHILD account.

This allows fetching policy for CHILD accunts. CHILD account is known
non-enterprise domain.

this moment it is empty. Add browser test.

Test: Manually. Validated that policy is fetched for CHILD account. At
Bug: 813892
Change-Id: I52440ab2737881499eb2e82f6a80eb0816f65542
Reviewed-on: https://chromium-review.googlesource.com/956962
Commit-Queue: Yury Khmel <khmel@google.com>
Reviewed-by: Roger Tawa <rogerta@chromium.org>
Reviewed-by: Drew Wilson <atwilson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#543508}

chrome/browser/chromeos/policy/login_policy_test_base.cc

@@ -45,7 +45,7 @@ void LoginPolicyTestBase::SetUp() {
   GetMandatoryPoliciesValue(&mandatory);
   base::DictionaryValue recommended;
   GetRecommendedPoliciesValue(&recommended);
-  user_policy_helper_.reset(new UserPolicyTestHelper(kAccountId));
+  user_policy_helper_.reset(new UserPolicyTestHelper(GetAccount()));
   user_policy_helper_->Init(mandatory, recommended);
   OobeBaseTest::SetUp();
 }
@@ -57,8 +57,20 @@ void LoginPolicyTestBase::SetUpCommandLine(base::CommandLine* command_line) {
 
 void LoginPolicyTestBase::SetUpOnMainThread() {
   SetMergeSessionParams();
-  SetupFakeGaiaForLogin(kAccountId, "", kTestRefreshToken);
+  SetupFakeGaiaForLogin(GetAccount(), "", kTestRefreshToken);
   OobeBaseTest::SetUpOnMainThread();
+
+  FakeGaia::MergeSessionParams params;
+  params.id_token = GetIdToken();
+  fake_gaia_->UpdateMergeSessionParams(params);
+}
+
+std::string LoginPolicyTestBase::GetAccount() const {
+  return kAccountId;
+}
+
+std::string LoginPolicyTestBase::GetIdToken() const {
+  return std::string();
 }
 
 void LoginPolicyTestBase::GetMandatoryPoliciesValue(
@@ -76,10 +88,11 @@ void LoginPolicyTestBase::SetMergeSessionParams() {
   params.auth_code = kTestAuthCode;
   params.refresh_token = kTestRefreshToken;
   params.access_token = kTestAuthLoginAccessToken;
+  params.id_token = GetIdToken();
   params.gaia_uber_token = kTestGaiaUberToken;
   params.session_sid_cookie = kTestSessionSIDCookie;
   params.session_lsid_cookie = kTestSessionLSIDCookie;
-  params.email = kAccountId;
+  params.email = GetAccount();
   fake_gaia_->SetMergeSessionParams(params);
 }
 

chrome/browser/chromeos/policy/login_policy_test_base.h

@@ -33,6 +33,8 @@ class LoginPolicyTestBase : public chromeos::OobeBaseTest {
 
   virtual void GetMandatoryPoliciesValue(base::DictionaryValue* policy) const;
   virtual void GetRecommendedPoliciesValue(base::DictionaryValue* policy) const;
+  virtual std::string GetAccount() const;
+  virtual std::string GetIdToken() const;
 
   UserPolicyTestHelper* user_policy_helper() {
     return user_policy_helper_.get();

chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos_browsertest.cc

@@ -18,6 +18,7 @@
 #include "chrome/browser/ui/browser.h"
 #include "chrome/browser/ui/browser_list.h"
 #include "chrome/browser/ui/tabs/tab_strip_model.h"
+#include "components/policy/core/browser/browser_policy_connector.h"
 #include "components/policy/policy_constants.h"
 #include "components/user_manager/known_user.h"
 #include "components/user_manager/user.h"
@@ -30,7 +31,12 @@
 namespace {
 // The Gaia ID supplied by FakeGaia for our mocked-out signin.
 const char kTestGaiaId[] = "12345";
-const char kConsumerAccount[] = "test_user@gmail.com";
+
+const char kIdTokenChildAccount[] =
+    "dummy-header."
+    // base64 encoded: { "services": ["uca"] }
+    "eyAic2VydmljZXMiOiBbInVjYSJdIH0="
+    ".dummy-signature";
 
 // Helper class that counts the number of notifications of the specified
 // type that have been received.
@@ -209,16 +215,44 @@ IN_PROC_BROWSER_TEST_F(UserCloudPolicyManagerTest, MigrateForExistingUser) {
             user_manager::known_user::GetProfileRequiresPolicy(account_id));
 }
 
-IN_PROC_BROWSER_TEST_F(UserCloudPolicyManagerTest, NoPolicyForConsumer) {
+class UserCloudPolicyManagerNonEnterpriseTest
+    : public UserCloudPolicyManagerTest {
+ protected:
+  UserCloudPolicyManagerNonEnterpriseTest() = default;
+  ~UserCloudPolicyManagerNonEnterpriseTest() override = default;
+
+  // UserCloudPolicyManagerTest:
+  void SetUp() override {
+    // Recognize example.com as non-enterprise account. We don't use any
+    // available public domain such as gmail.com in order to prevent possible
+    // leak of verification keys/signatures.
+    policy::BrowserPolicyConnector::SetNonEnterpriseDomainForTesting(
+        "example.com");
+    UserCloudPolicyManagerTest::SetUp();
+  }
+
+  void TearDown() override {
+    UserCloudPolicyManagerTest::TearDown();
+    policy::BrowserPolicyConnector::SetNonEnterpriseDomainForTesting(nullptr);
+  }
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(UserCloudPolicyManagerNonEnterpriseTest);
+};
+
+IN_PROC_BROWSER_TEST_F(UserCloudPolicyManagerNonEnterpriseTest,
+                       NoPolicyForConsumer) {
+  EXPECT_TRUE(
+      policy::BrowserPolicyConnector::IsNonEnterpriseUser(GetAccount()));
   // If a user signs in with a known non-enterprise account there should be no
   // policy.
   AccountId account_id =
-      AccountId::FromUserEmailGaiaId(kConsumerAccount, kTestGaiaId);
+      AccountId::FromUserEmailGaiaId(GetAccount(), kTestGaiaId);
   EXPECT_EQ(user_manager::known_user::ProfileRequiresPolicy::kUnknown,
             user_manager::known_user::GetProfileRequiresPolicy(account_id));
 
   SkipToLoginScreen();
-  LogIn(kConsumerAccount, kAccountPassword);
+  LogIn(GetAccount(), kAccountPassword);
 
   // User should be marked as having a valid OAuth token.
   const user_manager::UserManager* const user_manager =
@@ -233,4 +267,43 @@ IN_PROC_BROWSER_TEST_F(UserCloudPolicyManagerTest, NoPolicyForConsumer) {
             user_manager::known_user::GetProfileRequiresPolicy(account_id));
 }
 
+class UserCloudPolicyManagerChildTest
+    : public UserCloudPolicyManagerNonEnterpriseTest {
+ protected:
+  UserCloudPolicyManagerChildTest() = default;
+  ~UserCloudPolicyManagerChildTest() override = default;
+
+  // LoginPolicyTestBase:
+  std::string GetIdToken() const override { return kIdTokenChildAccount; }
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(UserCloudPolicyManagerChildTest);
+};
+
+IN_PROC_BROWSER_TEST_F(UserCloudPolicyManagerChildTest, PolicyForChildUser) {
+  EXPECT_TRUE(
+      policy::BrowserPolicyConnector::IsNonEnterpriseUser(GetAccount()));
+  // If a user signs in with a known non-enterprise account there should be no
+  // policy in case user type is child.
+  AccountId account_id =
+      AccountId::FromUserEmailGaiaId(GetAccount(), kTestGaiaId);
+  EXPECT_EQ(user_manager::known_user::ProfileRequiresPolicy::kUnknown,
+            user_manager::known_user::GetProfileRequiresPolicy(account_id));
+
+  SkipToLoginScreen();
+  LogIn(GetAccount(), kAccountPassword);
+
+  // User should be marked as having a valid OAuth token.
+  const user_manager::UserManager* const user_manager =
+      user_manager::UserManager::Get();
+  EXPECT_EQ(user_manager::User::OAUTH2_TOKEN_STATUS_VALID,
+            user_manager->GetActiveUser()->oauth_token_status());
+
+  EXPECT_TRUE(user_manager->GetActiveUser()->profile_ever_initialized());
+
+  // User of CHILD type should be marked as requiring policy.
+  EXPECT_EQ(user_manager::known_user::ProfileRequiresPolicy::kPolicyRequired,
+            user_manager::known_user::GetProfileRequiresPolicy(account_id));
+}
+
 }  // namespace policy

chrome/browser/chromeos/policy/user_policy_manager_factory_chromeos.cc

@@ -168,19 +168,23 @@ UserPolicyManagerFactoryChromeOS::CreateManagerForProfile(
       chromeos::ProfileHelper::Get()->GetUserByProfile(profile);
   CHECK(user);
 
-  // User policy exists for enterprise accounts only:
+  // User policy exists for enterprise accounts:
   // - For regular cloud-managed users (those who have a GAIA account), a
   //   |UserCloudPolicyManagerChromeOS| is created here.
   // - For Active Directory managed users, an |ActiveDirectoryPolicyManager|
   //   is created.
   // - For device-local accounts, policy is provided by
   //   |DeviceLocalAccountPolicyService|.
+  // For non-enterprise accounts only for users with type USER_TYPE_CHILD
+  //   |UserCloudPolicyManagerChromeOS| is created here.
   // All other user types do not have user policy.
   const AccountId& account_id = user->GetAccountId();
   const bool is_stub_user =
       user_manager::UserManager::Get()->IsStubAccountId(account_id);
-  if (user->IsSupervised() ||
-      BrowserPolicyConnector::IsNonEnterpriseUser(account_id.GetUserEmail())) {
+  if (user->GetType() != user_manager::USER_TYPE_CHILD &&
+      (user->GetType() == user_manager::USER_TYPE_SUPERVISED ||
+       BrowserPolicyConnector::IsNonEnterpriseUser(
+           account_id.GetUserEmail()))) {
     DLOG(WARNING) << "No policy loaded for known non-enterprise user";
     // Mark this profile as not requiring policy.
     user_manager::known_user::SetProfileRequiresPolicy(

components/policy/core/browser/browser_policy_connector.cc

@@ -65,6 +65,8 @@ const wchar_t* const kNonManagedDomainPatterns[] = {
   L"consumer\\.example\\.com",
 };
 
+const char* non_managed_domain_for_testing = nullptr;
+
 // Returns true if |domain| matches the regex |pattern|.
 bool MatchDomain(const base::string16& domain, const base::string16& pattern,
                  size_t index) {
@@ -145,9 +147,19 @@ bool BrowserPolicyConnector::IsNonEnterpriseUser(const std::string& username) {
     if (MatchDomain(domain, pattern, i))
       return true;
   }
+  if (non_managed_domain_for_testing &&
+      domain == base::UTF8ToUTF16(non_managed_domain_for_testing)) {
+    return true;
+  }
   return false;
 }
 
+// static
+void BrowserPolicyConnector::SetNonEnterpriseDomainForTesting(
+    const char* domain) {
+  non_managed_domain_for_testing = domain;
+}
+
 // static
 std::string BrowserPolicyConnector::GetDeviceManagementUrl() {
   base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();

components/policy/core/browser/browser_policy_connector.h

@@ -54,6 +54,11 @@ class POLICY_EXPORT BrowserPolicyConnector : public BrowserPolicyConnectorBase {
   // false if the username is empty.
   static bool IsNonEnterpriseUser(const std::string& username);
 
+  // Allows to register domain for tests that is recognized as non-enterprise.
+  // Note that |domain| basically needs to live until this method is invoked
+  // with a nullptr.
+  static void SetNonEnterpriseDomainForTesting(const char* domain);
+
   // Returns the URL for the device management service endpoint.
   static std::string GetDeviceManagementUrl();
 

google_apis/gaia/fake_gaia.cc

@@ -149,6 +149,7 @@ void FakeGaia::MergeSessionParams::Update(const MergeSessionParams& update) {
   maybe_update_field(&MergeSessionParams::auth_code);
   maybe_update_field(&MergeSessionParams::refresh_token);
   maybe_update_field(&MergeSessionParams::access_token);
+  maybe_update_field(&MergeSessionParams::id_token);
   maybe_update_field(&MergeSessionParams::gaia_uber_token);
   maybe_update_field(&MergeSessionParams::session_sid_cookie);
   maybe_update_field(&MergeSessionParams::session_lsid_cookie);
@@ -709,6 +710,8 @@ void FakeGaia::HandleAuthToken(const HttpRequest& request,
           device_id;
     response_dict.SetString("access_token",
                             merge_session_params_.access_token);
+    if (!merge_session_params_.id_token.empty())
+      response_dict.SetString("id_token", merge_session_params_.id_token);
     response_dict.SetInteger("expires_in", 3600);
     FormatJSONResponse(response_dict, http_response);
     return;

google_apis/gaia/fake_gaia.h

@@ -67,10 +67,11 @@ class FakeGaia {
     // auth_code cookie value response for /o/oauth2/programmatic_auth call.
     std::string auth_code;
 
-    // OAuth2 refresh and access token generated by /oauth2/v4/token call
+    // OAuth2 refresh access and id token generated by /oauth2/v4/token call
     // with "...&grant_type=authorization_code".
     std::string refresh_token;
     std::string access_token;
+    std::string id_token;
 
     // Uber token response from /OAuthLogin call.
     std::string gaia_uber_token;