[CrOs] Show a disabled auth message on secondary login screen

Bug: 1066489 Change-Id: I1d4a0faaad3ff753995ecf68c9d227b150f31eb9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2391146Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org> Reviewed-by: Scott Violet <sky@chromium.org> Commit-Queue: Thomas Tellier <tellier@google.com> Cr-Commit-Position: refs/heads/master@{#809905}

[CrOs] Show a disabled auth message on secondary login screen
Bug: 1066489 Change-Id: I1d4a0faaad3ff753995ecf68c9d227b150f31eb9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2391146Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org> Reviewed-by: Scott Violet <sky@chromium.org> Commit-Queue: Thomas Tellier <tellier@google.com> Cr-Commit-Position: refs/heads/master@{#809905}
e3dd3e63 · Thomas Tellier · Commit Bot · 086c526d · e3dd3e63 · e3dd3e63
Commit e3dd3e63 authored Sep 23, 2020 by Thomas Tellier Committed by Commit Bot Sep 23, 2020
9 changed files
--- a/ash/ash_strings.grd
+++ b/ash/ash_strings.grd
@@ -2271,6 +2271,18 @@ This file contains the strings for ash.
      <message name="IDS_ASH_LOGIN_MANUAL_LOCK_MESSAGE" desc="Message shown to user indicating that their parent locked the device.">
        Your parent locked this device
      </message>
+      <message name="IDS_ASH_LOGIN_MULTI_PROFILES_RESTRICTED_POLICY_TITLE" desc="Text that is shown on the title of the bubble shown for user pod which is not allowed in multi-profiles session.">
+        Can't set up multiple sign-in
+      </message>
+      <message name="IDS_ASH_LOGIN_MULTI_PROFILES_NOT_ALLOWED_POLICY_MSG" desc="Text that is shown on the bubble shown for user pod which is not allowed in multi-profiles session because of not-allowed policy or because of usage policy-pushed certificates.">
+        The administrator for this account has disallowed multiple sign-in.
+      </message>
+      <message name="IDS_ASH_LOGIN_MULTI_PROFILES_PRIMARY_ONLY_POLICY_MSG" desc="Text that is shown on the bubble shown for user pod which is not allowed in multi-profiles session because of primary-only policy.">
+        The administrator for this account requires this account to be the first signed-in account in a multiple sign-in session.
+      </message>
+      <message name="IDS_ASH_LOGIN_MULTI_PROFILES_OWNER_PRIMARY_ONLY_MSG" desc="Text that is shown on the bubble shown for owner user pod which is not allowed in multi-profiles session because it has to be primary user in the session.">
+        This owner account has to be the first signed-in account in a multiple sign-in session.
+      </message>
      <message name="IDS_ASH_LOGIN_PUBLIC_ACCOUNT_MONITORING_INFO" desc="Text shown in the warning dialog after user clicks on the learn more link, notifying the user of potential security and privacy implications of using the device">
        The admin of this device has the ability to:
      </message>

--- a/ash/ash_strings_grd/IDS_ASH_LOGIN_MULTI_PROFILES_NOT_ALLOWED_POLICY_MSG.png.sha1
+++ b/ash/ash_strings_grd/IDS_ASH_LOGIN_MULTI_PROFILES_NOT_ALLOWED_POLICY_MSG.png.sha1
+ebbdb5407ce393e8453a620a09fc6484b65a7559
\ No newline at end of file
--- a/ash/ash_strings_grd/IDS_ASH_LOGIN_MULTI_PROFILES_OWNER_PRIMARY_ONLY_MSG.png.sha1
+++ b/ash/ash_strings_grd/IDS_ASH_LOGIN_MULTI_PROFILES_OWNER_PRIMARY_ONLY_MSG.png.sha1
+733e28a6ba361723f3d558a2ee4e431f5d3fe69f
\ No newline at end of file
--- a/ash/ash_strings_grd/IDS_ASH_LOGIN_MULTI_PROFILES_PRIMARY_ONLY_POLICY_MSG.png.sha1
+++ b/ash/ash_strings_grd/IDS_ASH_LOGIN_MULTI_PROFILES_PRIMARY_ONLY_POLICY_MSG.png.sha1
+88156671eb7402544a2096bce16b7d039a9a81d8
\ No newline at end of file
--- a/ash/ash_strings_grd/IDS_ASH_LOGIN_MULTI_PROFILES_RESTRICTED_POLICY_TITLE.png.sha1
+++ b/ash/ash_strings_grd/IDS_ASH_LOGIN_MULTI_PROFILES_RESTRICTED_POLICY_TITLE.png.sha1
+88156671eb7402544a2096bce16b7d039a9a81d8
\ No newline at end of file
--- a/ash/login/ui/lock_contents_view.cc
+++ b/ash/login/ui/lock_contents_view.cc
@@ -591,6 +591,9 @@ LockContentsView::UserState::UserState(const LoginUserInfo& user_info)
  if (user_info.auth_type == proximity_auth::mojom::AuthType::ONLINE_SIGN_IN)
    force_online_sign_in = true;
  show_pin_pad_for_password = user_info.show_pin_pad_for_password;
+  disable_auth = !user_info.is_multiprofile_allowed &&
+                 Shell::Get()->session_controller()->GetSessionState() ==
+                     session_manager::SessionState::LOGIN_SECONDARY;
 }
 LockContentsView::UserState::UserState(UserState&&) = default;

--- a/ash/login/ui/login_auth_user_view.cc
+++ b/ash/login/ui/login_auth_user_view.cc
@@ -25,6 +25,7 @@
 #include "ash/login/ui/views_utils.h"
 #include "ash/public/cpp/login_constants.h"
 #include "ash/resources/vector_icons/vector_icons.h"
+#include "ash/session/session_controller_impl.h"
 #include "ash/shell.h"
 #include "ash/strings/grit/ash_strings.h"
 #include "ash/system/model/clock_model.h"
@@ -122,7 +123,8 @@ constexpr int kDistanceBetweenPwdFieldAndChallengeResponseViewDp = 0;
 constexpr int kDisabledAuthMessageVerticalBorderDp = 16;
 constexpr int kDisabledAuthMessageHorizontalBorderDp = 16;
 constexpr int kDisabledAuthMessageChildrenSpacingDp = 4;
-constexpr int kDisabledAuthMessageWidthDp = 204;
+constexpr int kDisabledAuthMessageTimeWidthDp = 204;
+constexpr int kDisabledAuthMessageMultiprofileWidthDp = 304;
 constexpr int kDisabledAuthMessageHeightDp = 98;
 constexpr int kDisabledAuthMessageIconSizeDp = 24;
 constexpr int kDisabledAuthMessageTitleFontSizeDeltaDp = 3;
@@ -681,7 +683,14 @@ class LoginAuthUserView::DisabledAuthMessageView : public views::View {
    DisabledAuthMessageView* const view_;
  };
-  DisabledAuthMessageView() {
+  // If the reason of disabled auth is multiprofile policy, then we can already
+  // set the text and message. Otherwise, in case of disabled auth because of
+  // time limit exceeded on child account, we wait for SetAuthDisabledMessage to
+  // be called.
+  DisabledAuthMessageView(bool shown_because_of_multiprofile_policy,
+                          MultiProfileUserBehavior multiprofile_policy)
+      : shown_because_of_multiprofile_policy_(
+            shown_because_of_multiprofile_policy) {
    SetLayoutManager(std::make_unique<views::BoxLayout>(
        views::BoxLayout::Orientation::kVertical,
        gfx::Insets(kDisabledAuthMessageVerticalBorderDp,
@@ -689,16 +698,20 @@ class LoginAuthUserView::DisabledAuthMessageView : public views::View {
        kDisabledAuthMessageChildrenSpacingDp));
    SetPaintToLayer();
    layer()->SetFillsBoundsOpaquely(false);
-    SetPreferredSize(
+    SetPreferredSize(gfx::Size(shown_because_of_multiprofile_policy
-        gfx::Size(kDisabledAuthMessageWidthDp, kDisabledAuthMessageHeightDp));
+                                   ? kDisabledAuthMessageMultiprofileWidthDp
+                                   : kDisabledAuthMessageTimeWidthDp,
+                               kDisabledAuthMessageHeightDp));
    SetFocusBehavior(FocusBehavior::ALWAYS);
-    message_icon_ = new views::ImageView();
+    if (!shown_because_of_multiprofile_policy) {
-    message_icon_->SetPreferredSize(gfx::Size(kDisabledAuthMessageIconSizeDp,
+      message_icon_ = new views::ImageView();
-                                              kDisabledAuthMessageIconSizeDp));
+      message_icon_->SetPreferredSize(gfx::Size(
-    message_icon_->SetImage(
+          kDisabledAuthMessageIconSizeDp, kDisabledAuthMessageIconSizeDp));
-        gfx::CreateVectorIcon(kLockScreenTimeLimitMoonIcon,
+      message_icon_->SetImage(
-                              kDisabledAuthMessageIconSizeDp, SK_ColorWHITE));
+          gfx::CreateVectorIcon(kLockScreenTimeLimitMoonIcon,
-    AddChildView(message_icon_);
+                                kDisabledAuthMessageIconSizeDp, SK_ColorWHITE));
+      AddChildView(message_icon_);
+    }
    auto decorate_label = [](views::Label* label) {
      label->SetSubpixelRenderingEnabled(false);
@@ -724,6 +737,27 @@ class LoginAuthUserView::DisabledAuthMessageView : public views::View {
    decorate_label(message_contents_);
    message_contents_->SetMultiLine(true);
    AddChildView(message_contents_);
+    if (shown_because_of_multiprofile_policy) {
+      message_title_->SetText(l10n_util::GetStringUTF16(
+          IDS_ASH_LOGIN_MULTI_PROFILES_RESTRICTED_POLICY_TITLE));
+      switch (multiprofile_policy) {
+        case MultiProfileUserBehavior::PRIMARY_ONLY:
+          message_contents_->SetText(l10n_util::GetStringUTF16(
+              IDS_ASH_LOGIN_MULTI_PROFILES_PRIMARY_ONLY_POLICY_MSG));
+          break;
+        case MultiProfileUserBehavior::NOT_ALLOWED:
+          message_contents_->SetText(l10n_util::GetStringUTF16(
+              IDS_ASH_LOGIN_MULTI_PROFILES_NOT_ALLOWED_POLICY_MSG));
+          break;
+        case MultiProfileUserBehavior::OWNER_PRIMARY_ONLY:
+          message_contents_->SetText(l10n_util::GetStringUTF16(
+              IDS_ASH_LOGIN_MULTI_PROFILES_OWNER_PRIMARY_ONLY_MSG));
+          break;
+        default:
+          NOTREACHED();
+      }
+    }
  }
  ~DisabledAuthMessageView() override = default;
@@ -731,6 +765,9 @@ class LoginAuthUserView::DisabledAuthMessageView : public views::View {
  // Set the parameters needed to render the message.
  void SetAuthDisabledMessage(const AuthDisabledData& auth_disabled_data,
                              bool use_24hour_clock) {
+    // Do not do anything if message is already shown.
+    if (shown_because_of_multiprofile_policy_)
+      return;
    LockScreenMessage message = GetLockScreenMessage(
        auth_disabled_data.reason, auth_disabled_data.auth_reenabled_time,
        auth_disabled_data.device_used_time, use_24hour_clock);
@@ -758,6 +795,10 @@ class LoginAuthUserView::DisabledAuthMessageView : public views::View {
  views::Label* message_title_;
  views::Label* message_contents_;
  views::ImageView* message_icon_;
+  // Used in case a child account has triggered the disabled auth message
+  // because of time limit exceeded while it also has disabled auth by
+  // multiprofile policy.
+  bool shown_because_of_multiprofile_policy_ = false;
  DISALLOW_COPY_AND_ASSIGN(DisabledAuthMessageView);
 };
@@ -1025,7 +1066,12 @@ LoginAuthUserView::LoginAuthUserView(const LoginUserInfo& user,
      /*multiline*/ false);
  online_sign_in_message_ = online_sign_in_message.get();
-  auto disabled_auth_message = std::make_unique<DisabledAuthMessageView>();
+  bool shown_because_of_multiprofile_policy =
+      !user.is_multiprofile_allowed &&
+      Shell::Get()->session_controller()->GetSessionState() ==
+          session_manager::SessionState::LOGIN_SECONDARY;
+  auto disabled_auth_message = std::make_unique<DisabledAuthMessageView>(
+      shown_because_of_multiprofile_policy, user.multiprofile_policy);
  disabled_auth_message_ = disabled_auth_message.get();
  auto locked_tpm_message_view = std::make_unique<LockedTpmMessageView>();

--- a/chrome/app/chromeos_strings.grdp
+++ b/chrome/app/chromeos_strings.grdp
@@ -1349,6 +1349,7 @@
  <message name="IDS_WILCO_NOTIFICATION_LEARN_MORE" desc="Label on button in various Wilco notification.">
    Learn More
  </message>
+  <!-- Multi-profiles related strings, should be synced with corresponding Ash strings until they get removed. -->
  <message name="IDS_MULTI_PROFILES_RESTRICTED_POLICY_TITLE" desc="Text that is shown on the title of the bubble shown for user pod which is not allowed in multi-profiles session.">
    Can't set up multiple sign-in
  </message>

--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -7235,7 +7235,7 @@
    },
    {
      'name': 'ChromeOsMultiProfileUserBehavior',
-      'owners': ['xiyuan@chromium.org', 'sinhak@chromium.org'],
+      'owners': ['xiyuan@chromium.org', 'sinhak@chromium.org', 'tellier@google.com', 'rsorokin@chromium.org', 'cros-oac@google.com'],
      'type': 'string-enum',
      'schema': {
        'type': 'string',