Create ConnectorsManager with legacy policies implementation

The following legacy policies are read by the manager:
  DelayDeliveryUntilVerdict
  BlockLargeFileTransfer
  AllowPasswordProtectedFiles
  BlockUnsupportedFiletypes
  kURLs* policies

The manager is not called by chrome code yet since the CL is already
quite large and to avoid having this reverted if subsequent code breaks
something.

Bug: 1062348
Change-Id: I4708a9a8a3bab8e559536b426bc4759705f48395
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2124856Reviewed-by: Roger Tawa <rogerta@chromium.org>
Commit-Queue: Dominique Fauteux-Chapleau <domfc@chromium.org>
Cr-Commit-Position: refs/heads/master@{#755502}

chrome/browser/BUILD.gn

@@ -3191,6 +3191,8 @@ jumbo_static_library("browser") {
       "download/download_shelf_context_menu.h",
       "download/download_shelf_controller.cc",
       "download/download_shelf_controller.h",
+      "enterprise/connectors/connectors_manager.cc",
+      "enterprise/connectors/connectors_manager.h",
       "enterprise/connectors/enterprise_connectors_policy_handler.cc",
       "enterprise/connectors/enterprise_connectors_policy_handler.h",
       "enterprise/reporting/browser_report_generator.cc",

chrome/browser/enterprise/connectors/connectors_manager.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/enterprise/connectors/connectors_manager.h"
+#include <memory>
+
+#include "base/feature_list.h"
+#include "base/values.h"
+#include "chrome/browser/browser_process.h"
+#include "components/policy/core/browser/url_util.h"
+#include "components/prefs/pref_service.h"
+#include "components/safe_browsing/core/common/safe_browsing_prefs.h"
+#include "components/safe_browsing/core/features.h"
+#include "components/url_matcher/url_matcher.h"
+
+namespace enterprise_connectors {
+
+namespace {
+
+base::ListValue AllPatterns() {
+  auto v = std::vector<base::Value>();
+  v.emplace_back("*");
+  return base::ListValue(std::move(v));
+}
+
+bool MatchURLAgainstPatterns(const GURL& url,
+                             const base::ListValue* patterns_to_scan,
+                             const base::ListValue* patterns_to_exempt) {
+  url_matcher::URLMatcher matcher;
+  url_matcher::URLMatcherConditionSet::ID id(0);
+
+  policy::url_util::AddFilters(&matcher, true, &id, patterns_to_scan);
+
+  url_matcher::URLMatcherConditionSet::ID last_allowed_id = id;
+
+  policy::url_util::AddFilters(&matcher, false, &id, patterns_to_exempt);
+
+  auto matches = matcher.MatchURL(url);
+  bool has_scan_match = false;
+  for (const auto& match_id : matches) {
+    if (match_id <= last_allowed_id)
+      has_scan_match = true;
+    else
+      return false;
+  }
+  return has_scan_match;
+}
+
+}  // namespace
+
+// ConnectorsManager implementation---------------------------------------------
+ConnectorsManager::~ConnectorsManager() = default;
+
+ConnectorsManager::ConnectorsManager() = default;
+
+void ConnectorsManager::GetAnalysisSettings(const GURL& url,
+                                            AnalysisConnector connector,
+                                            AnalysisSettingsCallback callback) {
+  std::move(callback).Run(
+      GetAnalysisSettingsFromLegacyPolicies(url, connector));
+}
+
+base::Optional<ConnectorsManager::AnalysisSettings>
+ConnectorsManager::GetAnalysisSettingsFromLegacyPolicies(
+    const GURL& url,
+    AnalysisConnector connector) const {
+  // Legacy policies map to upload/download instead of individual hooks.
+  bool upload = connector != AnalysisConnector::FILE_DOWNLOADED;
+
+  std::set<std::string> tags = MatchURLAgainstLegacyPolicies(url, upload);
+
+  // No tags implies the legacy patterns policies didn't match the URL, so no
+  // settings are returned.
+  if (tags.empty())
+    return base::nullopt;
+
+  auto settings = AnalysisSettings();
+  settings.block_until_verdict = LegacyBlockUntilVerdict(upload);
+  settings.block_password_protected_files =
+      LegacyBlockPasswordProtectedFiles(upload);
+  settings.block_large_files = LegacyBlockLargeFiles(upload);
+  settings.block_unsupported_file_types =
+      LegacyBlockUnsupportedFileTypes(upload);
+  settings.tags = std::move(tags);
+
+  return settings;
+}
+
+BlockUntilVerdict ConnectorsManager::LegacyBlockUntilVerdict(
+    bool upload) const {
+  int pref = g_browser_process->local_state()->GetInteger(
+      prefs::kDelayDeliveryUntilVerdict);
+  if (pref == safe_browsing::DELAY_NONE)
+    return BlockUntilVerdict::NO_BLOCK;
+  if (pref == safe_browsing::DELAY_UPLOADS_AND_DOWNLOADS)
+    return BlockUntilVerdict::BLOCK;
+  return ((upload && pref == safe_browsing::DELAY_UPLOADS) ||
+          (!upload && pref == safe_browsing::DELAY_DOWNLOADS))
+             ? BlockUntilVerdict::BLOCK
+             : BlockUntilVerdict::NO_BLOCK;
+}
+
+bool ConnectorsManager::LegacyBlockPasswordProtectedFiles(bool upload) const {
+  int pref = g_browser_process->local_state()->GetInteger(
+      prefs::kAllowPasswordProtectedFiles);
+  if (pref == safe_browsing::ALLOW_NONE)
+    return true;
+  if (pref == safe_browsing::ALLOW_UPLOADS_AND_DOWNLOADS)
+    return false;
+  return upload ? pref != safe_browsing::ALLOW_UPLOADS
+                : pref != safe_browsing::ALLOW_DOWNLOADS;
+}
+
+bool ConnectorsManager::LegacyBlockLargeFiles(bool upload) const {
+  int pref = g_browser_process->local_state()->GetInteger(
+      prefs::kBlockLargeFileTransfer);
+  if (pref == safe_browsing::BLOCK_NONE)
+    return false;
+  if (pref == safe_browsing::BLOCK_LARGE_UPLOADS_AND_DOWNLOADS)
+    return true;
+  return upload ? pref == safe_browsing::BLOCK_LARGE_UPLOADS
+                : pref == safe_browsing::BLOCK_LARGE_DOWNLOADS;
+}
+
+bool ConnectorsManager::LegacyBlockUnsupportedFileTypes(bool upload) const {
+  int pref = g_browser_process->local_state()->GetInteger(
+      prefs::kBlockUnsupportedFiletypes);
+  if (pref == safe_browsing::BLOCK_UNSUPPORTED_FILETYPES_NONE)
+    return false;
+  if (pref == safe_browsing::BLOCK_UNSUPPORTED_FILETYPES_UPLOADS_AND_DOWNLOADS)
+    return true;
+  return upload ? pref == safe_browsing::BLOCK_UNSUPPORTED_FILETYPES_UPLOADS
+                : pref == safe_browsing::BLOCK_UNSUPPORTED_FILETYPES_DOWNLOADS;
+}
+
+bool ConnectorsManager::MatchURLAgainstLegacyDlpPolicies(const GURL& url,
+                                                         bool upload) const {
+  const base::ListValue all_patterns = AllPatterns();
+  const base::ListValue no_patterns = base::ListValue();
+
+  const base::ListValue* patterns_to_scan;
+  const base::ListValue* patterns_to_exempt;
+  if (upload) {
+    patterns_to_scan = &all_patterns;
+    patterns_to_exempt = g_browser_process->local_state()->GetList(
+        prefs::kURLsToNotCheckComplianceOfUploadedContent);
+  } else {
+    patterns_to_scan = g_browser_process->local_state()->GetList(
+        prefs::kURLsToCheckComplianceOfDownloadedContent);
+    patterns_to_exempt = &no_patterns;
+  }
+
+  return MatchURLAgainstPatterns(url, patterns_to_scan, patterns_to_exempt);
+}
+
+bool ConnectorsManager::MatchURLAgainstLegacyMalwarePolicies(
+    const GURL& url,
+    bool upload) const {
+  const base::ListValue all_patterns = AllPatterns();
+  const base::ListValue no_patterns = base::ListValue();
+
+  const base::ListValue* patterns_to_scan;
+  const base::ListValue* patterns_to_exempt;
+  if (upload) {
+    patterns_to_scan = g_browser_process->local_state()->GetList(
+        prefs::kURLsToCheckForMalwareOfUploadedContent);
+    patterns_to_exempt = &no_patterns;
+  } else {
+    patterns_to_scan = &all_patterns;
+    patterns_to_exempt = g_browser_process->local_state()->GetList(
+        prefs::kURLsToNotCheckForMalwareOfDownloadedContent);
+  }
+
+  return MatchURLAgainstPatterns(url, patterns_to_scan, patterns_to_exempt);
+}
+
+std::set<std::string> ConnectorsManager::MatchURLAgainstLegacyPolicies(
+    const GURL& url,
+    bool upload) const {
+  std::set<std::string> tags;
+
+  if (MatchURLAgainstLegacyDlpPolicies(url, upload))
+    tags.emplace("dlp");
+
+  if (MatchURLAgainstLegacyMalwarePolicies(url, upload))
+    tags.emplace("malware");
+
+  return tags;
+}
+
+// ConnectorsManager structs implementation-------------------------------------
+
+ConnectorsManager::AnalysisSettings::AnalysisSettings() = default;
+ConnectorsManager::AnalysisSettings::AnalysisSettings(
+    ConnectorsManager::AnalysisSettings&&) = default;
+ConnectorsManager::AnalysisSettings&
+ConnectorsManager::AnalysisSettings::operator=(
+    ConnectorsManager::AnalysisSettings&&) = default;
+ConnectorsManager::AnalysisSettings::~AnalysisSettings() = default;
+
+ConnectorsManager::ReportingSettings::ReportingSettings() = default;
+ConnectorsManager::ReportingSettings::ReportingSettings(
+    ConnectorsManager::ReportingSettings&&) = default;
+ConnectorsManager::ReportingSettings&
+ConnectorsManager::ReportingSettings::operator=(
+    ConnectorsManager::ReportingSettings&&) = default;
+ConnectorsManager::ReportingSettings::~ReportingSettings() = default;
+
+}  // namespace enterprise_connectors

chrome/browser/enterprise/connectors/connectors_manager.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_ENTERPRISE_CONNECTORS_CONNECTORS_MANAGER_H_
+#define CHROME_BROWSER_ENTERPRISE_CONNECTORS_CONNECTORS_MANAGER_H_
+
+#include "base/callback_forward.h"
+#include "base/optional.h"
+#include "url/gurl.h"
+
+namespace enterprise_connectors {
+
+// Enums representing each connector to be used as arguments so the manager can
+// read the appropriate policies/settings.
+enum class AnalysisConnector {
+  FILE_DOWNLOADED,
+  FILE_ATTACHED,
+  BULK_DATA_ENTRY,
+};
+
+enum class ReportingConnector {
+  SECURITY_EVENT,
+};
+
+// Enum representing if an analysis should block further interactions with the
+// browser until its verdict is obtained.
+enum class BlockUntilVerdict {
+  NO_BLOCK = 0,
+  BLOCK = 1,
+};
+
+// Manages access to Connector policies. This class is responsible for caching
+// the Connector policies, validate them against approved service providers and
+// provide a simple interface to them.
+class ConnectorsManager {
+ public:
+  // Structs representing settings to be used for an analysis or a report. These
+  // settings should only be kept and considered valid for the specific
+  // analysis/report they were obtained for.
+  struct AnalysisSettings {
+    AnalysisSettings();
+    AnalysisSettings(AnalysisSettings&&);
+    AnalysisSettings& operator=(AnalysisSettings&&);
+    ~AnalysisSettings();
+
+    GURL analysis_url;
+    std::set<std::string> tags;
+    BlockUntilVerdict block_until_verdict;
+    bool block_password_protected_files;
+    bool block_large_files;
+    bool block_unsupported_file_types;
+  };
+
+  struct ReportingSettings {
+    ReportingSettings();
+    ReportingSettings(ReportingSettings&&);
+    ReportingSettings& operator=(ReportingSettings&&);
+    ~ReportingSettings();
+
+    std::vector<GURL> reporting_urls;
+  };
+
+  // Callback used to retrieve AnalysisSettings objects from the manager
+  // asynchronously. base::nullopt means no analysis should take place.
+  using AnalysisSettingsCallback =
+      base::OnceCallback<void(base::Optional<AnalysisSettings>)>;
+
+  ConnectorsManager();
+  ~ConnectorsManager();
+
+  // Validates which settings should be applied to an analysis connector event
+  // against cached policies.
+  void GetAnalysisSettings(const GURL& url,
+                           AnalysisConnector connector,
+                           AnalysisSettingsCallback callback);
+
+ private:
+  // Legacy functions.
+  // These functions are used to interact with legacy policies and should stay
+  // private. They should be removed once legacy policies are deprecated.
+
+  // Returns analysis settings based on legacy policies.
+  base::Optional<AnalysisSettings> GetAnalysisSettingsFromLegacyPolicies(
+      const GURL& url,
+      AnalysisConnector connector) const;
+
+  BlockUntilVerdict LegacyBlockUntilVerdict(bool upload) const;
+  bool LegacyBlockPasswordProtectedFiles(bool upload) const;
+  bool LegacyBlockLargeFiles(bool upload) const;
+  bool LegacyBlockUnsupportedFileTypes(bool upload) const;
+
+  bool MatchURLAgainstLegacyDlpPolicies(const GURL& url, bool upload) const;
+  bool MatchURLAgainstLegacyMalwarePolicies(const GURL& url, bool upload) const;
+  std::set<std::string> MatchURLAgainstLegacyPolicies(const GURL& url,
+                                                      bool upload) const;
+};
+
+}  // namespace enterprise_connectors
+
+#endif  // CHROME_BROWSER_ENTERPRISE_CONNECTORS_CONNECTORS_MANAGER_H_

chrome/browser/enterprise/connectors/connectors_manager_unittest.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/enterprise/connectors/connectors_manager.h"
+
+#include "base/optional.h"
+#include "base/test/bind_test_util.h"
+#include "base/test/scoped_feature_list.h"
+#include "base/test/task_environment.h"
+#include "chrome/browser/browser_process.h"
+#include "chrome/test/base/testing_browser_process.h"
+#include "chrome/test/base/testing_profile.h"
+#include "chrome/test/base/testing_profile_manager.h"
+#include "components/prefs/pref_service.h"
+#include "components/prefs/scoped_user_pref_update.h"
+#include "components/safe_browsing/core/common/safe_browsing_prefs.h"
+#include "components/safe_browsing/core/features.h"
+#include "content/public/test/browser_task_environment.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace enterprise_connectors {
+
+namespace {
+
+constexpr char kTestUrlMatchingPattern[] = "google.com";
+
+constexpr char kTestUrlNotMatchingPattern[] = "chromium.org";
+
+constexpr AnalysisConnector kAllAnalysisConnectors[] = {
+    AnalysisConnector::FILE_DOWNLOADED, AnalysisConnector::FILE_ATTACHED,
+    AnalysisConnector::BULK_DATA_ENTRY};
+
+constexpr safe_browsing::BlockLargeFileTransferValues
+    kAllBlockLargeFilesPolicyValues[] = {
+        safe_browsing::BlockLargeFileTransferValues::BLOCK_NONE,
+        safe_browsing::BlockLargeFileTransferValues::BLOCK_LARGE_DOWNLOADS,
+        safe_browsing::BlockLargeFileTransferValues::BLOCK_LARGE_UPLOADS,
+        safe_browsing::BlockLargeFileTransferValues::
+            BLOCK_LARGE_UPLOADS_AND_DOWNLOADS};
+
+constexpr safe_browsing::BlockUnsupportedFiletypesValues
+    kAllBlockUnsupportedFileTypesValues[] = {
+        safe_browsing::BlockUnsupportedFiletypesValues::
+            BLOCK_UNSUPPORTED_FILETYPES_NONE,
+        safe_browsing::BlockUnsupportedFiletypesValues::
+            BLOCK_UNSUPPORTED_FILETYPES_DOWNLOADS,
+        safe_browsing::BlockUnsupportedFiletypesValues::
+            BLOCK_UNSUPPORTED_FILETYPES_UPLOADS,
+        safe_browsing::BlockUnsupportedFiletypesValues::
+            BLOCK_UNSUPPORTED_FILETYPES_UPLOADS_AND_DOWNLOADS,
+};
+
+constexpr safe_browsing::AllowPasswordProtectedFilesValues
+    kAllAllowEncryptedPolicyValues[] = {
+        safe_browsing::AllowPasswordProtectedFilesValues::ALLOW_NONE,
+        safe_browsing::AllowPasswordProtectedFilesValues::ALLOW_DOWNLOADS,
+        safe_browsing::AllowPasswordProtectedFilesValues::ALLOW_UPLOADS,
+        safe_browsing::AllowPasswordProtectedFilesValues::
+            ALLOW_UPLOADS_AND_DOWNLOADS};
+
+constexpr safe_browsing::DelayDeliveryUntilVerdictValues
+    kAllDelayDeliveryUntilVerdictValues[] = {
+        safe_browsing::DelayDeliveryUntilVerdictValues::DELAY_NONE,
+        safe_browsing::DelayDeliveryUntilVerdictValues::DELAY_DOWNLOADS,
+        safe_browsing::DelayDeliveryUntilVerdictValues::DELAY_UPLOADS,
+        safe_browsing::DelayDeliveryUntilVerdictValues::
+            DELAY_UPLOADS_AND_DOWNLOADS,
+};
+
+}  // namespace
+
+// Tests that permutations of legacy policies produce expected settings from a
+// ConnectorsManager instance. T is a type used to iterate over policies with a
+// {NONE, DOWNLOADS, UPLOADS, UPLOADS_AND_DOWNLOADS} pattern without testing
+// every single permutation since these settings are independent.
+template <typename T>
+class ConnectorsManagerLegacyPoliciesTest
+    : public testing::TestWithParam<std::tuple<AnalysisConnector, T>> {
+ public:
+  ConnectorsManagerLegacyPoliciesTest<T>()
+      : profile_manager_(TestingBrowserProcess::GetGlobal()) {
+    scoped_feature_list_.InitWithFeatures(
+        {safe_browsing::kContentComplianceEnabled,
+         safe_browsing::kMalwareScanEnabled},
+        {});
+
+    EXPECT_TRUE(profile_manager_.SetUp());
+    profile_ = profile_manager_.CreateTestingProfile("test-user");
+  }
+
+  AnalysisConnector connector() const { return std::get<0>(this->GetParam()); }
+  T tested_policy() const { return std::get<1>(this->GetParam()); }
+
+  bool upload_scan() const {
+    return connector() != AnalysisConnector::FILE_DOWNLOADED;
+  }
+
+  void ValidateSettings(const ConnectorsManager::AnalysisSettings& settings) {
+    ASSERT_EQ(settings.block_until_verdict, expected_block_until_verdict_);
+    ASSERT_EQ(settings.block_password_protected_files,
+              expected_block_password_protected_files_);
+    ASSERT_EQ(settings.block_large_files, expected_block_large_files_);
+    ASSERT_EQ(settings.block_unsupported_file_types,
+              expected_block_unsupported_file_types_);
+    ASSERT_EQ(settings.tags, expected_tags_);
+  }
+
+  base::Optional<ConnectorsManager::AnalysisSettings> GetAnalysisSettingsSync(
+      const GURL& url,
+      AnalysisConnector connector) {
+    // This helper only works when the result is known to be available
+    // synchronously. Do not use it for async tests.
+    base::Optional<ConnectorsManager::AnalysisSettings> settings(base::nullopt);
+    auto callback = base::BindLambdaForTesting(
+        [&settings](
+            base::Optional<ConnectorsManager::AnalysisSettings> tmp_settings) {
+          settings = std::move(tmp_settings);
+        });
+    connectors_manager_.GetAnalysisSettings(url, connector, callback);
+    return settings;
+  }
+
+  void TestPolicy() {
+    upload_scan() ? TestPolicyOnUpload() : TestPolicyOnDownload();
+  }
+
+  void TestPolicyOnDownload() {
+    // DLP only checks uploads by default and malware only checks downloads by
+    // default. Overriding the appropriate policies subsequently will change the
+    // tags matching the pattern.
+    auto default_settings = GetAnalysisSettingsSync(url_, connector());
+    ASSERT_TRUE(default_settings.has_value());
+    expected_tags_ = {"malware"};
+    ValidateSettings(default_settings.value());
+
+    // The DLP tag is still absent if the patterns don't match it.
+    ListPrefUpdate(TestingBrowserProcess::GetGlobal()->local_state(),
+                   prefs::kURLsToCheckComplianceOfDownloadedContent)
+        ->Append(kTestUrlNotMatchingPattern);
+    auto exempt_pattern_dlp_settings =
+        GetAnalysisSettingsSync(url_, connector());
+    ASSERT_TRUE(exempt_pattern_dlp_settings.has_value());
+    ValidateSettings(exempt_pattern_dlp_settings.value());
+
+    // The DLP tag is added once the patterns do match it.
+    ListPrefUpdate(TestingBrowserProcess::GetGlobal()->local_state(),
+                   prefs::kURLsToCheckComplianceOfDownloadedContent)
+        ->Append(kTestUrlMatchingPattern);
+    auto scan_pattern_dlp_settings = GetAnalysisSettingsSync(url_, connector());
+    ASSERT_TRUE(scan_pattern_dlp_settings.has_value());
+    expected_tags_ = {"dlp", "malware"};
+    ValidateSettings(scan_pattern_dlp_settings.value());
+
+    // The malware tag is removed once exempt patterns match it.
+    ListPrefUpdate(TestingBrowserProcess::GetGlobal()->local_state(),
+                   prefs::kURLsToNotCheckForMalwareOfDownloadedContent)
+        ->Append(kTestUrlMatchingPattern);
+    auto exempt_pattern_malware_settings =
+        GetAnalysisSettingsSync(url_, connector());
+    ASSERT_TRUE(exempt_pattern_malware_settings.has_value());
+    expected_tags_ = {"dlp"};
+    ValidateSettings(exempt_pattern_malware_settings.value());
+
+    // Both tags are removed once the patterns don't match them, resulting in no
+    // settings.
+    ListPrefUpdate(TestingBrowserProcess::GetGlobal()->local_state(),
+                   prefs::kURLsToCheckComplianceOfDownloadedContent)
+        ->Remove(1, nullptr);
+    auto no_settings = GetAnalysisSettingsSync(url_, connector());
+    ASSERT_FALSE(no_settings.has_value());
+  }
+
+  void TestPolicyOnUpload() {
+    // DLP only checks uploads by default and malware only checks downloads by
+    // default. Overriding the appropriate policies subsequently will change the
+    // tags matching the pattern.
+    auto default_settings = GetAnalysisSettingsSync(url_, connector());
+    ASSERT_TRUE(default_settings.has_value());
+    expected_tags_ = {"dlp"};
+    ValidateSettings(default_settings.value());
+
+    // The malware tag is still absent if the patterns don't match it.
+    ListPrefUpdate(TestingBrowserProcess::GetGlobal()->local_state(),
+                   prefs::kURLsToCheckForMalwareOfUploadedContent)
+        ->Append(kTestUrlNotMatchingPattern);
+    auto exempt_pattern_malware_settings =
+        GetAnalysisSettingsSync(url_, connector());
+    ASSERT_TRUE(exempt_pattern_malware_settings.has_value());
+    ValidateSettings(exempt_pattern_malware_settings.value());
+
+    // The malware tag is added once the patterns do match it.
+    ListPrefUpdate(TestingBrowserProcess::GetGlobal()->local_state(),
+                   prefs::kURLsToCheckForMalwareOfUploadedContent)
+        ->Append(kTestUrlMatchingPattern);
+    auto scan_pattern_malware_settings =
+        GetAnalysisSettingsSync(url_, connector());
+    ASSERT_TRUE(scan_pattern_malware_settings.has_value());
+    expected_tags_ = {"dlp", "malware"};
+    ValidateSettings(scan_pattern_malware_settings.value());
+
+    // The DLP tag is removed once exempt patterns match it.
+    ListPrefUpdate(TestingBrowserProcess::GetGlobal()->local_state(),
+                   prefs::kURLsToNotCheckComplianceOfUploadedContent)
+        ->Append(kTestUrlMatchingPattern);
+    auto exempt_pattern_dlp_settings =
+        GetAnalysisSettingsSync(url_, connector());
+    ASSERT_TRUE(exempt_pattern_dlp_settings.has_value());
+    expected_tags_ = {"malware"};
+    ValidateSettings(exempt_pattern_dlp_settings.value());
+
+    // Both tags are removed once the patterns don't match them, resulting in no
+    // settings.
+    ListPrefUpdate(TestingBrowserProcess::GetGlobal()->local_state(),
+                   prefs::kURLsToCheckForMalwareOfUploadedContent)
+        ->Remove(1, nullptr);
+    auto no_settings = GetAnalysisSettingsSync(url_, connector());
+    ASSERT_FALSE(no_settings.has_value());
+  }
+
+ protected:
+  content::BrowserTaskEnvironment task_environment_;
+  base::test::ScopedFeatureList scoped_feature_list_;
+  TestingProfileManager profile_manager_;
+  TestingProfile* profile_;
+  ConnectorsManager connectors_manager_;
+  GURL url_ = GURL("https://google.com");
+
+  // Set to the default value of their legacy policy.
+  std::set<std::string> expected_tags_ = {};
+  BlockUntilVerdict expected_block_until_verdict_ = BlockUntilVerdict::NO_BLOCK;
+  bool expected_block_password_protected_files_ = false;
+  bool expected_block_large_files_ = false;
+  bool expected_block_unsupported_file_types_ = false;
+};
+
+class ConnectorsManagerBlockLargeFileTest
+    : public ConnectorsManagerLegacyPoliciesTest<
+          safe_browsing::BlockLargeFileTransferValues> {
+ public:
+  ConnectorsManagerBlockLargeFileTest() {
+    TestingBrowserProcess::GetGlobal()->local_state()->SetInteger(
+        prefs::kBlockLargeFileTransfer, tested_policy());
+    expected_block_large_files_ = [this]() {
+      if (tested_policy() == safe_browsing::BLOCK_LARGE_UPLOADS_AND_DOWNLOADS)
+        return true;
+      if (tested_policy() == safe_browsing::BLOCK_NONE)
+        return false;
+      return upload_scan()
+                 ? tested_policy() == safe_browsing::BLOCK_LARGE_UPLOADS
+                 : tested_policy() == safe_browsing::BLOCK_LARGE_DOWNLOADS;
+    }();
+  }
+};
+
+TEST_P(ConnectorsManagerBlockLargeFileTest, Test) {
+  TestPolicy();
+}
+
+INSTANTIATE_TEST_SUITE_P(
+    ConnectorsManagerBlockLargeFileTest,
+    ConnectorsManagerBlockLargeFileTest,
+    testing::Combine(testing::ValuesIn(kAllAnalysisConnectors),
+                     testing::ValuesIn(kAllBlockLargeFilesPolicyValues)));
+
+class ConnectorsManagerBlockUnsupportedFileTypesTest
+    : public ConnectorsManagerLegacyPoliciesTest<
+          safe_browsing::BlockUnsupportedFiletypesValues> {
+ public:
+  ConnectorsManagerBlockUnsupportedFileTypesTest() {
+    TestingBrowserProcess::GetGlobal()->local_state()->SetInteger(
+        prefs::kBlockUnsupportedFiletypes, tested_policy());
+    expected_block_unsupported_file_types_ = [this]() {
+      if (tested_policy() ==
+          safe_browsing::BLOCK_UNSUPPORTED_FILETYPES_UPLOADS_AND_DOWNLOADS)
+        return true;
+      if (tested_policy() == safe_browsing::BLOCK_UNSUPPORTED_FILETYPES_NONE)
+        return false;
+      return upload_scan()
+                 ? tested_policy() ==
+                       safe_browsing::BLOCK_UNSUPPORTED_FILETYPES_UPLOADS
+                 : tested_policy() ==
+                       safe_browsing::BLOCK_UNSUPPORTED_FILETYPES_DOWNLOADS;
+    }();
+  }
+};
+
+TEST_P(ConnectorsManagerBlockUnsupportedFileTypesTest, Test) {
+  TestPolicy();
+}
+
+INSTANTIATE_TEST_SUITE_P(
+    ConnectorsManagerBlockUnsupportedFileTypesTest,
+    ConnectorsManagerBlockUnsupportedFileTypesTest,
+    testing::Combine(testing::ValuesIn(kAllAnalysisConnectors),
+                     testing::ValuesIn(kAllBlockUnsupportedFileTypesValues)));
+
+class ConnectorsManagerAllowPasswordProtectedFilesTest
+    : public ConnectorsManagerLegacyPoliciesTest<
+          safe_browsing::AllowPasswordProtectedFilesValues> {
+ public:
+  ConnectorsManagerAllowPasswordProtectedFilesTest() {
+    TestingBrowserProcess::GetGlobal()->local_state()->SetInteger(
+        prefs::kAllowPasswordProtectedFiles, tested_policy());
+    expected_block_password_protected_files_ = [this]() {
+      if (tested_policy() == safe_browsing::ALLOW_UPLOADS_AND_DOWNLOADS)
+        return false;
+      if (tested_policy() == safe_browsing::ALLOW_NONE)
+        return true;
+      return upload_scan() ? tested_policy() != safe_browsing::ALLOW_UPLOADS
+                           : tested_policy() != safe_browsing::ALLOW_DOWNLOADS;
+    }();
+  }
+};
+
+TEST_P(ConnectorsManagerAllowPasswordProtectedFilesTest, Test) {
+  TestPolicy();
+}
+
+INSTANTIATE_TEST_SUITE_P(
+    ConnectorsManagerAllowPasswordProtectedFilesTest,
+    ConnectorsManagerAllowPasswordProtectedFilesTest,
+    testing::Combine(testing::ValuesIn(kAllAnalysisConnectors),
+                     testing::ValuesIn(kAllAllowEncryptedPolicyValues)));
+
+class ConnectorsManagerDelayDeliveryUntilVerdictTest
+    : public ConnectorsManagerLegacyPoliciesTest<
+          safe_browsing::DelayDeliveryUntilVerdictValues> {
+ public:
+  ConnectorsManagerDelayDeliveryUntilVerdictTest() {
+    TestingBrowserProcess::GetGlobal()->local_state()->SetInteger(
+        prefs::kDelayDeliveryUntilVerdict, tested_policy());
+    expected_block_until_verdict_ = [this]() {
+      if (tested_policy() == safe_browsing::DELAY_UPLOADS_AND_DOWNLOADS)
+        return BlockUntilVerdict::BLOCK;
+      if (tested_policy() == safe_browsing::DELAY_NONE)
+        return BlockUntilVerdict::NO_BLOCK;
+      bool delay =
+          (upload_scan() && tested_policy() == safe_browsing::DELAY_UPLOADS) ||
+          (!upload_scan() && tested_policy() == safe_browsing::DELAY_DOWNLOADS);
+      return delay ? BlockUntilVerdict::BLOCK : BlockUntilVerdict::NO_BLOCK;
+    }();
+  }
+};
+
+TEST_P(ConnectorsManagerDelayDeliveryUntilVerdictTest, Test) {
+  TestPolicy();
+}
+
+INSTANTIATE_TEST_SUITE_P(
+    ConnectorsManagerDelayDeliveryUntilVerdictTest,
+    ConnectorsManagerDelayDeliveryUntilVerdictTest,
+    testing::Combine(testing::ValuesIn(kAllAnalysisConnectors),
+                     testing::ValuesIn(kAllDelayDeliveryUntilVerdictValues)));
+
+}  // namespace enterprise_connectors

chrome/test/BUILD.gn

@@ -3887,6 +3887,7 @@ test("unit_tests") {
       "../browser/diagnostics/diagnostics_model_unittest.cc",
       "../browser/download/download_commands_unittest.cc",
       "../browser/download/download_shelf_unittest.cc",
+      "../browser/enterprise/connectors/connectors_manager_unittest.cc",
       "../browser/enterprise/connectors/enterprise_connectors_policy_handler_unittest.cc",
       "../browser/enterprise/reporting/browser_report_generator_unittest.cc",
       "../browser/enterprise/reporting/extension_info_unittest.cc",