Disable DNS-over-HTTPS when machine is enterprise managed.

Disable DoH on desktop machines that have platform policies set so that
enterprise machines will not take part in the experiment.

Bug: 955454
Change-Id: I86465e85deddb1ed40a28af53d9bddd6c3d82d6a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1764253
Commit-Queue: Steven Bingler <bingler@chromium.org>
Reviewed-by: Eric Orth <ericorth@chromium.org>
Cr-Commit-Position: refs/heads/master@{#690114}

chrome/browser/net/dns_util.cc

@@ -4,6 +4,9 @@
 
 #include "chrome/browser/net/dns_util.h"
 
+#include "build/build_config.h"
+#include "chrome/browser/browser_process.h"
+#include "chrome/browser/policy/chrome_browser_policy_connector.h"
 #include "net/third_party/uri_template/uri_template.h"
 #include "url/gurl.h"
 
@@ -35,3 +38,11 @@ bool IsValidDoHTemplate(const std::string& server_template,
       (vars_found.find("dns") == vars_found.end()) ? "POST" : "GET";
   return true;
 }
+
+bool ShouldDisableDohForManaged() {
+#if !defined(OS_ANDROID) && !defined(OS_CHROMEOS)
+  return g_browser_process->browser_policy_connector()
+      ->HasMachineLevelPolicies();
+#endif
+  return false;
+}

chrome/browser/net/dns_util.h

@@ -14,6 +14,13 @@
 bool IsValidDoHTemplate(const std::string& server_template,
                         std::string* server_method);
 
+// Returns true if any machine level policies. ChromeOS devices are already
+// handled by the default_for_enterprise_users field on the DoH policy. We don't
+// attempt enterprise detection on Android at this time. This special logic is
+// to prevent enterprises from having DoH enabled by default and is necessary
+// because default_for_enterprise_users only applies to ChromeOS.
+bool ShouldDisableDohForManaged();
+
 const char kDnsOverHttpsModeOff[] = "off";
 const char kDnsOverHttpsModeAutomatic[] = "automatic";
 const char kDnsOverHttpsModeSecure[] = "secure";

chrome/browser/net/system_network_context_manager.cc

@@ -94,7 +94,13 @@ void GetStubResolverConfig(
   *insecure_stub_resolver_enabled =
       local_state->GetBoolean(prefs::kBuiltInDnsClientEnabled);
 
-  std::string doh_mode = local_state->GetString(prefs::kDnsOverHttpsMode);
+  std::string doh_mode;
+  if (!local_state->FindPreference(prefs::kDnsOverHttpsMode)->IsManaged() &&
+      ShouldDisableDohForManaged())
+    doh_mode = kDnsOverHttpsModeOff;
+  else
+    doh_mode = local_state->GetString(prefs::kDnsOverHttpsMode);
+
   if (doh_mode == kDnsOverHttpsModeSecure)
     *secure_dns_mode = net::DnsConfig::SecureDnsMode::SECURE;
   else if (doh_mode == kDnsOverHttpsModeAutomatic)