Invalidate school account token when terms of service version changes

This cl ensures that all edu accounts added as secondary accounts on a supervised user device will record their corresponding TermsOfService version number. Upon policy update for the TermsOfService, this cl checks which account has an outdated agreement and invalidates the token for the account. The change from the local flow to the server flow will not result in accounts being invalidated. Bug: 1134682 Change-Id: Ib19f26f11d760d05f78d21abd7fbad9481578d62 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2459947Reviewed-by: Xiyuan Xia <xiyuan@chromium.org> Reviewed-by: Scott Violet <sky@chromium.org> Reviewed-by: Aga Wronska <agawronska@chromium.org> Commit-Queue: Yilkal Abe <yilkal@chromium.org> Cr-Commit-Position: refs/heads/master@{#824174}

Invalidate school account token when terms of service version changes
This cl ensures that all edu accounts added as secondary accounts on a supervised user device will record their corresponding TermsOfService version number. Upon policy update for the TermsOfService, this cl checks which account has an outdated agreement and invalidates the token for the account. The change from the local flow to the server flow will not result in accounts being invalidated. Bug: 1134682 Change-Id: Ib19f26f11d760d05f78d21abd7fbad9481578d62 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2459947Reviewed-by: Xiyuan Xia <xiyuan@chromium.org> Reviewed-by: Scott Violet <sky@chromium.org> Reviewed-by: Aga Wronska <agawronska@chromium.org> Commit-Queue: Yilkal Abe <yilkal@chromium.org> Cr-Commit-Position: refs/heads/master@{#824174}
c04a16dc · yilkal · Commit Bot · 6584ae9b · c04a16dc · c04a16dc
Commit c04a16dc authored Nov 04, 2020 by yilkal Committed by Commit Bot Nov 04, 2020
14 changed files
--- a/chrome/browser/chromeos/BUILD.gn
+++ b/chrome/browser/chromeos/BUILD.gn
@@ -422,6 +422,8 @@ source_set("chromeos") {
    "accessibility/magnifier_type.h",
    "accessibility/select_to_speak_event_handler_delegate.cc",
    "accessibility/select_to_speak_event_handler_delegate.h",
+    "account_manager/account_manager_edu_coexistence_controller.cc",
+    "account_manager/account_manager_edu_coexistence_controller.h",
    "account_manager/account_manager_facade_factory_ash.cc",
    "account_manager/account_manager_migrator.cc",
    "account_manager/account_manager_migrator.h",
@@ -921,6 +923,8 @@ source_set("chromeos") {
    "child_accounts/child_user_service.h",
    "child_accounts/child_user_service_factory.cc",
    "child_accounts/child_user_service_factory.h",
+    "child_accounts/edu_coexistence_tos_store_utils.cc",
+    "child_accounts/edu_coexistence_tos_store_utils.h",
    "child_accounts/event_based_status_reporting_service.cc",
    "child_accounts/event_based_status_reporting_service.h",
    "child_accounts/event_based_status_reporting_service_factory.cc",
@@ -3205,6 +3209,7 @@ source_set("unit_tests") {
    "../policy/default_geolocation_policy_handler_unittest.cc",
    "../resources/chromeos/zip_archiver/test/char_coding_test.cc",
    "../ui/browser_finder_chromeos_unittest.cc",
+    "account_manager/account_manager_edu_coexistence_controller_unittest.cc",
    "account_manager/account_migration_runner_unittest.cc",
    "android_sms/android_sms_app_manager_impl_unittest.cc",
    "android_sms/android_sms_app_setup_controller_impl_unittest.cc",

--- a/chrome/browser/chromeos/account_manager/account_manager_edu_coexistence_controller.cc
+++ b/chrome/browser/chromeos/account_manager/account_manager_edu_coexistence_controller.cc
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/account_manager/account_manager_edu_coexistence_controller.h"
+
+#include <algorithm>
+
+#include "base/logging.h"
+#include "base/optional.h"
+#include "chrome/browser/chromeos/account_manager/account_manager_util.h"
+#include "chrome/browser/chromeos/child_accounts/edu_coexistence_tos_store_utils.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/ui/webui/chromeos/edu_coexistence_login_handler_chromeos.h"
+#include "chromeos/components/account_manager/account_manager.h"
+#include "chromeos/constants/chromeos_pref_names.h"
+#include "components/prefs/pref_registry_simple.h"
+#include "components/prefs/pref_service.h"
+
+namespace chromeos {
+
+void EduCoexistenceConsentInvalidationController::RegisterProfilePrefs(
+    PrefRegistrySimple* registry) {
+  // |kEduCoexistenceToSVersion| is derived from Google3 CL that introduced
+  // new ToS version. We use string data here for the ToS version to be more
+  // future proof. In the future we might add a prefix to indicate the flow
+  // where the ToS were accepted (OOBE or Settings flow).
+  registry->RegisterStringPref(chromeos::prefs::kEduCoexistenceToSVersion,
+                               edu_coexistence::kMinTOSVersionNumber);
+
+  // |kEduCoexistenceToSAcceptedVersion| is a dictionary associating the
+  // edu accounts present in account manager to the accepted terms of service
+  // version.
+  registry->RegisterDictionaryPref(
+      chromeos::prefs::kEduCoexistenceToSAcceptedVersion);
+}
+
+EduCoexistenceConsentInvalidationController::
+    EduCoexistenceConsentInvalidationController(
+        Profile* profile,
+        AccountManager* account_manager,
+        const AccountId& device_account_id)
+    : profile_(profile),
+      account_manager_(account_manager),
+      device_account_id_(device_account_id) {
+  DCHECK(profile_);
+  DCHECK(profile_->IsChild());
+  DCHECK(chromeos::IsAccountManagerAvailable(profile_));
+}
+
+EduCoexistenceConsentInvalidationController::
+    ~EduCoexistenceConsentInvalidationController() = default;
+
+void EduCoexistenceConsentInvalidationController::Init() {
+  account_manager_->GetAccounts(
+      base::BindOnce(&EduCoexistenceConsentInvalidationController::
+                         UpdateEduAccountsInTermsOfServicePref,
+                     weak_factory_.GetWeakPtr()));
+
+  pref_change_registrar_.Init(profile_->GetPrefs());
+  pref_change_registrar_.Add(
+      chromeos::prefs::kEduCoexistenceToSVersion,
+      base::BindRepeating(&EduCoexistenceConsentInvalidationController::
+                              TermsOfServicePrefChanged,
+                          weak_factory_.GetWeakPtr()));
+
+  // No need to call |TermsOfServicePrefChanged| here because
+  // |UpdateEduAccountsInTermsOfServicePref| callback created above will call
+  // it.
+}
+
+void EduCoexistenceConsentInvalidationController::
+    UpdateEduAccountsInTermsOfServicePref(
+        const std::vector<::account_manager::Account>& accounts) {
+  std::vector<edu_coexistence::UserConsentInfo>
+      current_edu_account_consent_list =
+          edu_coexistence::GetUserConsentInfoListForProfile(profile_);
+
+  std::vector<edu_coexistence::UserConsentInfo> new_edu_account_consent_list;
+
+  //  Adds secondary accounts present in account manager to
+  //  |new_edu_account_consent_list|.
+  for (const auto& account : accounts) {
+    // Don't add the device account id.
+    if (account.key.id == device_account_id_.GetGaiaId()) {
+      continue;
+    }
+
+    auto iterator =
+        std::find_if(current_edu_account_consent_list.begin(),
+                     current_edu_account_consent_list.end(),
+                     [&account](const edu_coexistence::UserConsentInfo& info) {
+                       return info.edu_account_gaia_id == account.key.id;
+                     });
+
+    // If account exists in |current_edu_account_consent_list| copy the entry
+    // over.
+    if (iterator != current_edu_account_consent_list.end()) {
+      new_edu_account_consent_list.push_back(*iterator);
+    } else {
+      // Create a new entry with default terms of service version number.
+      // This will be used to add secondary edu accounts added in the first
+      // version of EduCoexistence.
+      new_edu_account_consent_list.push_back(edu_coexistence::UserConsentInfo{
+          account.key.id,
+          edu_coexistence::
+              kMinTOSVersionNumber /* default terms of service version */});
+    }
+  }
+
+  edu_coexistence::SetUserConsentInfoListForProfile(
+      profile_, new_edu_account_consent_list);
+
+  TermsOfServicePrefChanged();
+}
+
+void EduCoexistenceConsentInvalidationController::TermsOfServicePrefChanged() {
+  std::string new_version = profile_->GetPrefs()->GetString(
+      chromeos::prefs::kEduCoexistenceToSVersion);
+
+  std::vector<edu_coexistence::UserConsentInfo> infos =
+      edu_coexistence::GetUserConsentInfoListForProfile(profile_);
+
+  std::vector<std::string> to_invalidate;
+  for (const auto& info : infos) {
+    if (edu_coexistence::IsConsentVersionLessThan(
+            info.edu_coexistence_tos_version, new_version)) {
+      to_invalidate.push_back(info.edu_account_gaia_id);
+    }
+  }
+
+  account_manager_->GetAccounts(base::BindOnce(
+      &EduCoexistenceConsentInvalidationController::InvalidateEduAccounts,
+      weak_factory_.GetWeakPtr(), std::move(to_invalidate)));
+}
+
+void EduCoexistenceConsentInvalidationController::InvalidateEduAccounts(
+    const std::vector<std::string>& account_gaia_ids_to_invalidate,
+    const std::vector<::account_manager::Account>& accounts) {
+  for (const ::account_manager::Account& account : accounts) {
+    if (account.key.account_type !=
+        chromeos::account_manager::AccountType::ACCOUNT_TYPE_GAIA) {
+      continue;
+    }
+
+    // Do not invalidate the Device Account.
+    if (device_account_id_.GetAccountType() == AccountType::GOOGLE &&
+        account.key.id == device_account_id_.GetGaiaId()) {
+      continue;
+    }
+
+    // This account should not be invalidated.
+    if (!base::Contains(account_gaia_ids_to_invalidate, account.key.id)) {
+      continue;
+    }
+
+    // This account is a Secondary EDU Gaia account. Invalidate it.
+    account_manager_->UpdateToken(account.key, AccountManager::kInvalidToken);
+  }
+}
+
+}  // namespace chromeos
--- a/chrome/browser/chromeos/account_manager/account_manager_edu_coexistence_controller.h
+++ b/chrome/browser/chromeos/account_manager/account_manager_edu_coexistence_controller.h
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_ACCOUNT_MANAGER_ACCOUNT_MANAGER_EDU_COEXISTENCE_CONTROLLER_H_
+#define CHROME_BROWSER_CHROMEOS_ACCOUNT_MANAGER_ACCOUNT_MANAGER_EDU_COEXISTENCE_CONTROLLER_H_
+
+#include <string>
+#include <vector>
+
+#include "base/callback.h"
+#include "base/memory/weak_ptr.h"
+#include "components/account_id/account_id.h"
+#include "components/account_manager_core/account.h"
+#include "components/prefs/pref_change_registrar.h"
+
+class Profile;
+class PrefRegistrySimple;
+
+namespace chromeos {
+
+class AccountManager;
+
+// Listens to changes to chromeos::prefs::kEduCoexistenceToSVersion policy
+// preference and invalidates secondary edu accounts with outdated terms of
+// service version.
+class EduCoexistenceConsentInvalidationController {
+ public:
+  static void RegisterProfilePrefs(PrefRegistrySimple* registry);
+
+  EduCoexistenceConsentInvalidationController(
+      Profile* profile,
+      AccountManager* account_manager,
+      const AccountId& device_account_id);
+  EduCoexistenceConsentInvalidationController(
+      const EduCoexistenceConsentInvalidationController&) = delete;
+  EduCoexistenceConsentInvalidationController& operator=(
+      const EduCoexistenceConsentInvalidationController&) = delete;
+  ~EduCoexistenceConsentInvalidationController();
+
+  // Accesses the list from AccountManager to update the list of accounts stored
+  // in chromeos::prefs::kEduCoexistenceToSAcceptedVersion.
+  void Init();
+
+ private:
+  // Removes accounts which may have been stored in pref but which have since
+  // been removed as a secondary account.
+  // Secondary edu accounts may have already been added to device prior to M88.
+  // Therefore, it updates the
+  // chromeos::prefs::kEduCoexistenceToSAcceptedVersion pref to include those
+  // accounts.
+  void UpdateEduAccountsInTermsOfServicePref(
+      const std::vector<::account_manager::Account>& accounts);
+
+  void TermsOfServicePrefChanged();
+
+  void InvalidateEduAccounts(
+      const std::vector<std::string>& account_emails_to_invalidate,
+      const std::vector<::account_manager::Account>& accounts);
+
+  Profile* const profile_;
+  AccountManager* const account_manager_;
+  const AccountId device_account_id_;
+  PrefChangeRegistrar pref_change_registrar_;
+  base::WeakPtrFactory<EduCoexistenceConsentInvalidationController>
+      weak_factory_{this};
+};
+
+}  // namespace chromeos
+
+#endif  // CHROME_BROWSER_CHROMEOS_ACCOUNT_MANAGER_ACCOUNT_MANAGER_EDU_COEXISTENCE_CONTROLLER_H_
--- a/chrome/browser/chromeos/account_manager/account_manager_edu_coexistence_controller_unittest.cc
+++ b/chrome/browser/chromeos/account_manager/account_manager_edu_coexistence_controller_unittest.cc
--- a/chrome/browser/chromeos/account_manager/account_manager_policy_controller.cc
+++ b/chrome/browser/chromeos/account_manager/account_manager_policy_controller.cc
@@ -7,10 +7,13 @@
 #include <string>

 #include "base/callback.h"
+#include "base/feature_list.h"
 #include "base/sequence_checker.h"
+#include "chrome/browser/chromeos/account_manager/account_manager_edu_coexistence_controller.h"
 #include "chrome/browser/chromeos/account_manager/account_manager_util.h"
 #include "chrome/browser/chromeos/child_accounts/secondary_account_consent_logger.h"
 #include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/supervised_user/supervised_user_features.h"
 #include "chromeos/constants/chromeos_pref_names.h"
 #include "components/prefs/pref_service.h"

@@ -52,9 +55,16 @@ void AccountManagerPolicyController::Start() {
  OnChildAccountTypeChanged(user_data->value());

  if (profile_->IsChild()) {
-    // Invalidate secondary accounts if parental consent text version for EDU
-    // accounts addition has changed.
-    CheckEduCoexistenceSecondaryAccountsInvalidationVersion();
+    if (base::FeatureList::IsEnabled(supervised_users::kEduCoexistenceFlowV2)) {
+      edu_coexistence_consent_invalidation_controller_ =
+          std::make_unique<EduCoexistenceConsentInvalidationController>(
+              profile_, account_manager_, device_account_id_);
+      edu_coexistence_consent_invalidation_controller_->Init();
+    } else {
+      // Invalidate secondary accounts if parental consent text version for EDU
+      // accounts addition has changed.
+      CheckEduCoexistenceSecondaryAccountsInvalidationVersion();
+    }
  }
 }

@@ -162,6 +172,7 @@ void AccountManagerPolicyController::

 void AccountManagerPolicyController::Shutdown() {
  child_account_type_changed_subscription_.reset();
+  edu_coexistence_consent_invalidation_controller_.reset();
 }

 }  // namespace chromeos
--- a/chrome/browser/chromeos/account_manager/account_manager_policy_controller.h
+++ b/chrome/browser/chromeos/account_manager/account_manager_policy_controller.h
@@ -24,6 +24,7 @@ class Profile;
 namespace chromeos {

 class AccountManager;
+class EduCoexistenceConsentInvalidationController;

 class AccountManagerPolicyController : public KeyedService {
 public:
@@ -74,6 +75,9 @@ class AccountManagerPolicyController : public KeyedService {
  std::unique_ptr<chromeos::ChildAccountTypeChangedSubscription>
      child_account_type_changed_subscription_;

+  std::unique_ptr<EduCoexistenceConsentInvalidationController>
+      edu_coexistence_consent_invalidation_controller_;
+
  SEQUENCE_CHECKER(sequence_checker_);

  base::WeakPtrFactory<AccountManagerPolicyController> weak_factory_{this};

--- a/chrome/browser/chromeos/child_accounts/edu_coexistence_tos_store_utils.cc
+++ b/chrome/browser/chromeos/child_accounts/edu_coexistence_tos_store_utils.cc
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/child_accounts/edu_coexistence_tos_store_utils.h"
+
+#include "base/logging.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/values.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chromeos/constants/chromeos_pref_names.h"
+#include "components/prefs/pref_service.h"
+#include "components/prefs/scoped_user_pref_update.h"
+
+namespace chromeos {
+
+namespace edu_coexistence {
+
+// TODO(yilkal): Update the "0" below to the terms of service version number
+// that will first be sent via policy inorder to ensure that we will not
+// invalidate pre-existing edu-coexistence accounts.
+const char kMinTOSVersionNumber[] = "0";
+
+UserConsentInfo::UserConsentInfo(const std::string& gaia_id,
+                                 const std::string& version)
+    : edu_account_gaia_id(gaia_id), edu_coexistence_tos_version(version) {}
+
+bool IsConsentVersionLessThan(const std::string& lhs_version,
+                              const std::string& rhs_version) {
+  int lhs_version_int;
+  if (!base::StringToInt(lhs_version, &lhs_version_int)) {
+    LOG(ERROR) << " TermsOfService |lhs_version| string is not a number"
+               << lhs_version;
+    return false;
+  }
+
+  int rhs_version_int;
+  if (!base::StringToInt(rhs_version, &rhs_version_int)) {
+    LOG(ERROR) << " TermsOfService |rhs_version| string is not a number"
+               << rhs_version;
+    return false;
+  }
+
+  return lhs_version_int < rhs_version_int;
+}
+
+void UpdateAcceptedToSVersionPref(Profile* profile,
+                                  const UserConsentInfo& user_consent_info) {
+  DictionaryPrefUpdate update(
+      profile->GetPrefs(), chromeos::prefs::kEduCoexistenceToSAcceptedVersion);
+  base::DictionaryValue* dict = update.Get();
+
+  dict->SetStringPath(user_consent_info.edu_account_gaia_id,
+                      user_consent_info.edu_coexistence_tos_version);
+}
+
+void SetUserConsentInfoListForProfile(
+    Profile* profile,
+    const std::vector<UserConsentInfo>& user_consent_info_list) {
+  base::Value user_consent_info_list_value(base::Value::Type::DICTIONARY);
+  for (const auto& info : user_consent_info_list) {
+    user_consent_info_list_value.SetStringPath(
+        info.edu_account_gaia_id, info.edu_coexistence_tos_version);
+  }
+
+  profile->GetPrefs()->Set(chromeos::prefs::kEduCoexistenceToSAcceptedVersion,
+                           std::move(user_consent_info_list_value));
+}
+
+std::vector<UserConsentInfo> GetUserConsentInfoListForProfile(
+    Profile* profile) {
+  const base::Value* user_consent_info_dict_value = profile->GetPrefs()->Get(
+      chromeos::prefs::kEduCoexistenceToSAcceptedVersion);
+
+  DCHECK(user_consent_info_dict_value);
+  DCHECK(user_consent_info_dict_value->is_dict());
+
+  std::vector<UserConsentInfo> info_list;
+
+  for (const auto& entry : user_consent_info_dict_value->DictItems()) {
+    const std::string& gaia_id = entry.first;
+    const std::string& accepted_tos_version = entry.second.GetString();
+    info_list.push_back(UserConsentInfo(gaia_id, accepted_tos_version));
+  }
+
+  return info_list;
+}
+
+std::string GetAcceptedToSVersion(Profile* profile,
+                                  const std::string& secondary_edu_gaia_id) {
+  const base::Value* accepted_values = profile->GetPrefs()->Get(
+      chromeos::prefs::kEduCoexistenceToSAcceptedVersion);
+
+  const std::string* entry =
+      accepted_values->FindStringKey(secondary_edu_gaia_id);
+  return entry ? *entry : std::string();
+}
+
+}  // namespace edu_coexistence
+}  // namespace chromeos
--- a/chrome/browser/chromeos/child_accounts/edu_coexistence_tos_store_utils.h
+++ b/chrome/browser/chromeos/child_accounts/edu_coexistence_tos_store_utils.h
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_CHILD_ACCOUNTS_EDU_COEXISTENCE_TOS_STORE_UTILS_H_
+#define CHROME_BROWSER_CHROMEOS_CHILD_ACCOUNTS_EDU_COEXISTENCE_TOS_STORE_UTILS_H_
+
+#include <string>
+#include <vector>
+
+class Profile;
+
+namespace chromeos {
+namespace edu_coexistence {
+
+// The first google3 cl number that is sent through a policy which is mapped
+// to |chromeos::prefs::kEduCoexistenceToSVersion|. All version numbers sent
+// will be greater than or equal to |kMinTOSVersionNumber|.
+extern const char kMinTOSVersionNumber[];
+
+// Used to store the gaia id and corresponding accepted terms of
+// service version number. The user is the child account but the parent is the
+// one who accepts the terms of service.
+struct UserConsentInfo {
+  UserConsentInfo(const std::string& gaia_id, const std::string& version);
+  std::string edu_account_gaia_id;
+  std::string edu_coexistence_tos_version;
+};
+
+// Returns true if `lhs_version` as a version int is less than
+// the version int of `rhs_version`.
+// If any of the version strings is invalid, returns false.
+bool IsConsentVersionLessThan(const std::string& lhs_version,
+                              const std::string& rhs_version);
+
+// Used by EduCoexistenceLoginHandler to insert/update the stored
+// UserConsentInfo when the user completes adding their secondary edu account.
+// If the account already exists in user's pref, then its accepted tos will be
+// updated. Otherwise, a new entry will be created.
+// The pref that is used to store the UserConsentInfo is defined in:
+// |chromeos::prefs::kEduCoexistenceToSAcceptedVersion|
+// Unlike |SetUserConsentInfoListForProfile| this doesn't overwrite the entire
+// stored UserConsentInfo list; it instead updates it.
+void UpdateAcceptedToSVersionPref(Profile* profile,
+                                  const UserConsentInfo& user_consent_info);
+
+// Overwrites the stored UserConsentInfo to be |user_consent_info_list|.
+void SetUserConsentInfoListForProfile(
+    Profile* profile,
+    const std::vector<UserConsentInfo>& user_consent_info_list);
+
+// Returns the list of UserConsentInfo stored in
+// |chromeos::prefs::kEduCoexistenceToSAcceptedVersion|.
+std::vector<UserConsentInfo> GetUserConsentInfoListForProfile(Profile* profile);
+
+// |profile| is the Primary user profile which is the family link user.
+std::string GetAcceptedToSVersion(Profile* profile,
+                                  const std::string& secondary_edu_gaia_id);
+}  // namespace edu_coexistence
+}  // namespace chromeos
+
+#endif  // CHROME_BROWSER_CHROMEOS_CHILD_ACCOUNTS_EDU_COEXISTENCE_TOS_STORE_UTILS_H_
--- a/chrome/browser/chromeos/child_accounts/secondary_account_consent_logger.cc
+++ b/chrome/browser/chromeos/child_accounts/secondary_account_consent_logger.cc
@@ -92,20 +92,6 @@ void SecondaryAccountConsentLogger::RegisterPrefs(
  registry->RegisterStringPref(
      chromeos::prefs::kEduCoexistenceSecondaryAccountsInvalidationVersion,
      "iv2153049" /* default_value, the first invalidation version */);
-
-  // |kEduCoexistenceToSVersion| is derived from Google3 cl that introduced new
-  // ToS version. We use string here for the ToS version to be more future
-  // proof. In the future we might add a prefix to indicate the flow where the
-  // ToS were accepted (OOBE or Settings flow).
-  registry->RegisterStringPref(chromeos::prefs::kEduCoexistenceToSVersion,
-                               std::string());
-
-  // |kEduCoexistenceToSAcceptedVersion| is a dictionary associating the
-  // edu accounts present in account manager to the accepted terms of service
-  // version.
-  registry->RegisterDictionaryPref(
-      chromeos::prefs::kEduCoexistenceToSAcceptedVersion,
-      base::Value(base::Value::Type::DICTIONARY));
 }

 // static

--- a/chrome/browser/chromeos/child_accounts/secondary_account_consent_logger.h
+++ b/chrome/browser/chromeos/child_accounts/secondary_account_consent_logger.h
@@ -37,6 +37,8 @@ class SharedURLLoaderFactory;
 // logs consent with provided parent id, rapt, coexistence id and text version.
 // EduCoexistenceId identifies the profile and is created if it's not present
 // yet. Text version specifies the version of the text on the information page.
+// TODO(crbug.com/1145246): Remove this code when the educoexistence v2 flow is
+// stable.
 class SecondaryAccountConsentLogger {
 public:
  // NOTE: This enum is persisted to histograms. Do not change or reorder

--- a/chrome/browser/prefs/browser_prefs.cc
+++ b/chrome/browser/prefs/browser_prefs.cc
@@ -275,6 +275,7 @@
 #if defined(USE_CUPS)
 #include "chrome/browser/chromeos/extensions/printing/printing_api_handler.h"
 #endif
+#include "chrome/browser/chromeos/account_manager/account_manager_edu_coexistence_controller.h"
 #include "chrome/browser/chromeos/borealis/borealis_prefs.h"
 #include "chrome/browser/chromeos/child_accounts/secondary_account_consent_logger.h"
 #include "chrome/browser/chromeos/file_system_provider/registry.h"
@@ -954,6 +955,8 @@ void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry,
  chromeos::RegisterSamlProfilePrefs(registry);
  chromeos::ScreenTimeController::RegisterProfilePrefs(registry);
  SecondaryAccountConsentLogger::RegisterPrefs(registry);
+  chromeos::EduCoexistenceConsentInvalidationController::RegisterProfilePrefs(
+      registry);
  SigninErrorNotifier::RegisterPrefs(registry);
  chromeos::ServicesCustomizationDocument::RegisterProfilePrefs(registry);
  chromeos::settings::OSSettingsUI::RegisterProfilePrefs(registry);

--- a/chrome/browser/ui/webui/chromeos/edu_coexistence_login_handler_browsertest.cc
+++ b/chrome/browser/ui/webui/chromeos/edu_coexistence_login_handler_browsertest.cc
@@ -11,6 +11,7 @@
 #include "base/test/scoped_feature_list.h"
 #include "base/time/time.h"
 #include "base/values.h"
+#include "chrome/browser/chromeos/child_accounts/edu_coexistence_tos_store_utils.h"
 #include "chrome/browser/chromeos/login/test/fake_gaia_mixin.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/profiles/profile_manager.h"
@@ -38,16 +39,6 @@ namespace {

 constexpr char kResponseCallback[] = "cr.webUIResponse";

-std::string GetAcceptedTosVersionForAccount(const std::string& user_gaia_id) {
-  PrefService* prefs = ProfileManager::GetActiveUserProfile()->GetPrefs();
-
-  const base::Value* accepted_values =
-      prefs->Get(chromeos::prefs::kEduCoexistenceToSAcceptedVersion);
-
-  const std::string* entry = accepted_values->FindStringKey(user_gaia_id);
-  return entry ? *entry : std::string();
-}
-
 }  // namespace

 class EduCoexistenceLoginHandlerBrowserTest
@@ -120,11 +111,10 @@ class EduCoexistenceLoginHandlerBrowserTest

 IN_PROC_BROWSER_TEST_F(EduCoexistenceLoginHandlerBrowserTest,
                       HandleInitializeEduCoexistenceArgs) {
+  constexpr char kCallbackId[] = "coexistence-data-init";
  std::unique_ptr<EduCoexistenceLoginHandler> handler = SetUpHandler();
-
-  constexpr char callback_id[] = "coexistence-data-init";
  base::ListValue list_args;
-  list_args.Append(callback_id);
+  list_args.Append(kCallbackId);
  web_ui()->HandleReceivedMessage("initializeEduArgs", &list_args);
  SimulateAccessTokenFetched(handler.get());

@@ -133,7 +123,7 @@ IN_PROC_BROWSER_TEST_F(EduCoexistenceLoginHandlerBrowserTest,
  const content::TestWebUI::CallData& second_call = *web_ui()->call_data()[0];

  // TODO(yilkal): verify the exact the call arguments.
-  VerifyJavascriptCallResolved(second_call, callback_id, kResponseCallback);
+  VerifyJavascriptCallResolved(second_call, kCallbackId, kResponseCallback);
 }

 IN_PROC_BROWSER_TEST_F(EduCoexistenceLoginHandlerBrowserTest,
@@ -174,13 +164,13 @@ IN_PROC_BROWSER_TEST_F(EduCoexistenceLoginHandlerBrowserTest,

 IN_PROC_BROWSER_TEST_F(EduCoexistenceLoginHandlerBrowserTest,
                       HandleConsentLogged) {
-  std::unique_ptr<EduCoexistenceLoginHandler> handler = SetUpHandler();
  constexpr char kConsentLoggedCallback[] = "consent-logged-callback";
-  constexpr char kAcceptedTosVersion[] = "12345678";
+  constexpr char kToSVersion[] = "12345678";
+  std::unique_ptr<EduCoexistenceLoginHandler> handler = SetUpHandler();

  base::ListValue call_args;
  call_args.Append(FakeGaiaMixin::kFakeUserEmail);
-  call_args.Append(kAcceptedTosVersion);
+  call_args.Append(kToSVersion);

  base::ListValue list_args;
  list_args.Append(kConsentLoggedCallback);
@@ -203,9 +193,9 @@ IN_PROC_BROWSER_TEST_F(EduCoexistenceLoginHandlerBrowserTest,
  account.gaia = FakeGaiaMixin::kFakeUserGaiaId;
  handler->OnRefreshTokenUpdatedForAccount(account);

-  const std::string& accepted_tos =
-      GetAcceptedTosVersionForAccount(FakeGaiaMixin::kFakeUserGaiaId);
-  EXPECT_EQ(accepted_tos, std::string(kAcceptedTosVersion));
+  const std::string& accepted_tos = edu_coexistence::GetAcceptedToSVersion(
+      ProfileManager::GetActiveUserProfile(), FakeGaiaMixin::kFakeUserGaiaId);
+  EXPECT_EQ(accepted_tos, std::string(kToSVersion));

  EXPECT_EQ(web_ui()->call_data().size(), 1u);
  const content::TestWebUI::CallData& second_call = *web_ui()->call_data()[0];
@@ -215,4 +205,44 @@ IN_PROC_BROWSER_TEST_F(EduCoexistenceLoginHandlerBrowserTest,
                               kResponseCallback);
 }

+IN_PROC_BROWSER_TEST_F(EduCoexistenceLoginHandlerBrowserTest,
+                       TestUpdateAcceptedToSVersionPrefAccount) {
+  constexpr char kVersion1[] = "123";
+  constexpr char kVersion2[] = "234";
+  constexpr char kUser1GaiaId[] = "user1-gaia-id";
+  constexpr char kUser2GaiaId[] = "user2-gaia-id";
+  constexpr char kUser3GaiaId[] = "user3-gaia-id";
+
+  Profile* profile = ProfileManager::GetActiveUserProfile();
+
+  edu_coexistence::UpdateAcceptedToSVersionPref(
+      profile, edu_coexistence::UserConsentInfo(kUser1GaiaId, kVersion1));
+  EXPECT_EQ(edu_coexistence::GetAcceptedToSVersion(profile, kUser1GaiaId),
+            std::string(kVersion1));
+
+  edu_coexistence::UpdateAcceptedToSVersionPref(
+      profile, edu_coexistence::UserConsentInfo(kUser2GaiaId, kVersion1));
+  EXPECT_EQ(edu_coexistence::GetAcceptedToSVersion(profile, kUser2GaiaId),
+            std::string(kVersion1));
+
+  edu_coexistence::UpdateAcceptedToSVersionPref(
+      profile, edu_coexistence::UserConsentInfo(kUser3GaiaId, kVersion1));
+  EXPECT_EQ(edu_coexistence::GetAcceptedToSVersion(profile, kUser3GaiaId),
+            std::string(kVersion1));
+
+  edu_coexistence::UpdateAcceptedToSVersionPref(
+      profile, edu_coexistence::UserConsentInfo(kUser2GaiaId, kVersion2));
+  EXPECT_EQ(edu_coexistence::GetAcceptedToSVersion(profile, kUser2GaiaId),
+            std::string(kVersion2));
+  EXPECT_EQ(edu_coexistence::GetAcceptedToSVersion(profile, kUser1GaiaId),
+            std::string(kVersion1));
+  EXPECT_EQ(edu_coexistence::GetAcceptedToSVersion(profile, kUser3GaiaId),
+            std::string(kVersion1));
+
+  edu_coexistence::UpdateAcceptedToSVersionPref(
+      profile, edu_coexistence::UserConsentInfo(kUser1GaiaId, kVersion2));
+  EXPECT_EQ(edu_coexistence::GetAcceptedToSVersion(profile, kUser1GaiaId),
+            std::string(kVersion2));
+}
+
 }  // namespace chromeos
--- a/chrome/browser/ui/webui/chromeos/edu_coexistence_login_handler_chromeos.cc
+++ b/chrome/browser/ui/webui/chromeos/edu_coexistence_login_handler_chromeos.cc
@@ -13,12 +13,12 @@
 #include "base/command_line.h"
 #include "base/files/file_path.h"
 #include "base/guid.h"
-#include "base/logging.h"
 #include "base/metrics/histogram_functions.h"
 #include "base/system/sys_info.h"
 #include "base/values.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/browser_process_platform_part.h"
+#include "chrome/browser/chromeos/child_accounts/edu_coexistence_tos_store_utils.h"
 #include "chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/profiles/profile_manager.h"
@@ -31,7 +31,6 @@
 #include "components/policy/core/common/cloud/cloud_policy_core.h"
 #include "components/policy/proto/device_management_backend.pb.h"
 #include "components/prefs/pref_service.h"
-#include "components/prefs/scoped_user_pref_update.h"
 #include "components/session_manager/core/session_manager.h"
 #include "components/signin/public/identity_manager/access_token_info.h"
 #include "components/signin/public/identity_manager/account_info.h"
@@ -116,17 +115,6 @@ std::string GetDeviceIdForActiveUserProfile() {
  return policy->device_id();
 }

-void UpdateEduCoexistenceTokenForAccount(
-    Profile* profile,
-    const std::string& edu_account_gaia_id,
-    const std::string& terms_of_service_version_number) {
-  DictionaryPrefUpdate update(
-      profile->GetPrefs(), chromeos::prefs::kEduCoexistenceToSAcceptedVersion);
-  base::DictionaryValue* dict = update.Get();
-
-  dict->SetStringPath(edu_account_gaia_id, terms_of_service_version_number);
-}
-
 }  // namespace

 EduCoexistenceLoginHandler::EduCoexistenceLoginHandler(
@@ -203,8 +191,10 @@ void EduCoexistenceLoginHandler::OnRefreshTokenUpdatedForAccount(
  AllowJavascript();

  Profile* profile = ProfileManager::GetActiveUserProfile();
-  UpdateEduCoexistenceTokenForAccount(profile, account_info.gaia,
-                                      terms_of_service_version_number_);
+
+  edu_coexistence::UpdateAcceptedToSVersionPref(
+      profile, edu_coexistence::UserConsentInfo(
+                   account_info.gaia, terms_of_service_version_number_));

  // Otherwise, notify the ui that account addition was successful!!
  ResolveJavascriptCallback(base::Value(account_added_callback_),

--- a/chromeos/constants/chromeos_pref_names.cc
+++ b/chromeos/constants/chromeos_pref_names.cc
@@ -65,6 +65,7 @@ const char kEduCoexistenceId[] = "account_manager.edu_coexistence_id";
 // A string pref storing a parental consent text version that requires
 // invalidation of the secondary accounts added with the previous consent
 // versions.
+// This is used for the V1 version of EduCoexistence and will be removed.
 const char kEduCoexistenceSecondaryAccountsInvalidationVersion[] =
    "account_manager.edu_coexistence_secondary_accounts_invalidation_version";