[iOS Enterprise] BrowserSignin: initial support

Makes the basic policy infrastructure changes to begin supporting the BrowserSignin policy. The policy handler is hidden behind a command-line switch, since the policy isn't fully supported yet. Attempting to sign in while setting this policy to 0 (sign-in disabled) will make the browser crash, as not all parts of the authentication flow correctly handles sign-in being disabled yet. Change-Id: Iefad6d36685bb11a26e55494dc3be4222e8366c5 Bug: 1155745 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2562719 Commit-Queue: Guillaume Jenkins <gujen@google.com> Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org> Reviewed-by: Rohit Rao <rohitrao@chromium.org> Cr-Commit-Position: refs/heads/master@{#835694}

[iOS Enterprise] BrowserSignin: initial support
Makes the basic policy infrastructure changes to begin supporting the BrowserSignin policy. The policy handler is hidden behind a command-line switch, since the policy isn't fully supported yet. Attempting to sign in while setting this policy to 0 (sign-in disabled) will make the browser crash, as not all parts of the authentication flow correctly handles sign-in being disabled yet. Change-Id: Iefad6d36685bb11a26e55494dc3be4222e8366c5 Bug: 1155745 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2562719 Commit-Queue: Guillaume Jenkins <gujen@google.com> Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org> Reviewed-by: Rohit Rao <rohitrao@chromium.org> Cr-Commit-Position: refs/heads/master@{#835694}
f287ab69 · Guillaume Jenkins · Chromium LUCI CQ · a326523b · f287ab69 · f287ab69
Commit f287ab69 authored Dec 10, 2020 by Guillaume Jenkins Committed by Chromium LUCI CQ Dec 10, 2020
12 changed files
--- a/chrome/browser/policy/browser_signin_policy_handler.h
+++ b/chrome/browser/policy/browser_signin_policy_handler.h
@@ -18,7 +18,9 @@ enum class BrowserSigninMode {
  kForced = 2,
 };

-// ConfigurationPolicyHandler for the RoamingProfileLocation policy.
+// ConfigurationPolicyHandler for the BrowserSignin policy. This handles all
+// non-iOS platforms. The iOS equivalent handler is at
+// ios/chrome/browser/policy/browser_signin_policy_handler.h
 class BrowserSigninPolicyHandler : public SchemaValidatingPolicyHandler {
 public:
  explicit BrowserSigninPolicyHandler(Schema chrome_schema);

--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -13903,6 +13903,7 @@
        },
      ],
      'supported_on': ['chrome.*:70-', 'android:70-'],
+      'future_on': [ 'ios' ],
      'features': {
        'dynamic_refresh': False,
        'per_profile': False
--- a/ios/chrome/browser/chrome_switches.cc
+++ b/ios/chrome/browser/chrome_switches.cc
@@ -39,6 +39,9 @@ const char kEnableSpotlightActions[] = "enable-spotlight-actions";
 const char kEnableThirdPartyKeyboardWorkaround[] =
    "enable-third-party-keyboard-workaround";

+// Installs the BrowserSignin policy handler.
+const char kInstallBrowserSigninHandler[] = "install-browser-signin-handler";
+
 // Installs the URLBlocklist and URLAllowlist handlers.
 const char kInstallURLBlocklistHandlers[] = "install-url-blocklist-handlers";


--- a/ios/chrome/browser/chrome_switches.h
+++ b/ios/chrome/browser/chrome_switches.h
@@ -17,6 +17,7 @@ extern const char kEnableEnterprisePolicy[];
 extern const char kEnableIOSHandoffToOtherDevices[];
 extern const char kEnableSpotlightActions[];
 extern const char kEnableThirdPartyKeyboardWorkaround[];
+extern const char kInstallBrowserSigninHandler[];
 extern const char kInstallURLBlocklistHandlers[];

 extern const char kUserAgent[];

--- a/ios/chrome/browser/policy/BUILD.gn
+++ b/ios/chrome/browser/policy/BUILD.gn
@@ -8,6 +8,8 @@ source_set("policy") {
    "browser_dm_token_storage_ios.mm",
    "browser_policy_connector_ios.h",
    "browser_policy_connector_ios.mm",
+    "browser_signin_policy_handler.cc",
+    "browser_signin_policy_handler.h",
    "browser_state_policy_connector.h",
    "browser_state_policy_connector.mm",
    "browser_state_policy_connector_factory.h",
@@ -48,6 +50,8 @@ source_set("policy") {
    "//components/safe_browsing/core/common:safe_browsing_policy_handler",
    "//components/safe_browsing/core/common:safe_browsing_prefs",
    "//components/search_engines",
+    "//components/signin/public/base",
+    "//components/strings:components_strings_grit",
    "//components/translate/core/browser:translate_pref_names",
    "//components/variations",
    "//components/variations/service",

--- a/ios/chrome/browser/policy/browser_signin_policy_handler.cc
+++ b/ios/chrome/browser/policy/browser_signin_policy_handler.cc
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "ios/chrome/browser/policy/browser_signin_policy_handler.h"
+
+#include <memory>
+
+#include "base/strings/string_number_conversions.h"
+#include "base/syslog_logging.h"
+#include "base/values.h"
+#include "components/policy/core/browser/policy_error_map.h"
+#include "components/policy/core/common/policy_map.h"
+#include "components/policy/policy_constants.h"
+#include "components/prefs/pref_value_map.h"
+#include "components/signin/public/base/signin_pref_names.h"
+#include "components/strings/grit/components_strings.h"
+
+namespace policy {
+BrowserSigninPolicyHandler::BrowserSigninPolicyHandler(Schema chrome_schema)
+    : SchemaValidatingPolicyHandler(
+          key::kBrowserSignin,
+          chrome_schema.GetKnownProperty(key::kBrowserSignin),
+          SCHEMA_ALLOW_UNKNOWN) {}
+
+BrowserSigninPolicyHandler::~BrowserSigninPolicyHandler() {}
+
+bool BrowserSigninPolicyHandler::CheckPolicySettings(
+    const policy::PolicyMap& policies,
+    policy::PolicyErrorMap* errors) {
+  const base::Value* value = policies.GetValue(policy_name());
+  if (!value)
+    return true;
+
+  if (!SchemaValidatingPolicyHandler::CheckPolicySettings(policies, errors))
+    return false;
+
+  int int_value = value->GetAsInteger(&int_value);
+  if (int_value == static_cast<int>(BrowserSigninMode::kForced)) {
+    // Don't return false because in this case the policy falls back to
+    // BrowserSigninMode::kEnabled
+    errors->AddError(policy_name(), IDS_POLICY_LEVEL_ERROR);
+  }
+
+  return true;
+}
+
+void BrowserSigninPolicyHandler::ApplyPolicySettings(const PolicyMap& policies,
+                                                     PrefValueMap* prefs) {
+  const base::Value* value = policies.GetValue(policy_name());
+  int int_value;
+  if (value && value->GetAsInteger(&int_value)) {
+    if (static_cast<int>(BrowserSigninMode::kDisabled) > int_value ||
+        static_cast<int>(BrowserSigninMode::kForced) < int_value) {
+      SYSLOG(ERROR) << "Unexpected value for BrowserSigninMode: " << int_value;
+      NOTREACHED();
+      return;
+    }
+    switch (static_cast<BrowserSigninMode>(int_value)) {
+      case BrowserSigninMode::kForced:
+        // Forced sign-in isn't supported at the moment on iOS. Fall back to
+        // sign-in enabled.
+        FALLTHROUGH;
+      case BrowserSigninMode::kEnabled:
+        prefs->SetValue(prefs::kSigninAllowed, base::Value(true));
+        break;
+      case BrowserSigninMode::kDisabled:
+        prefs->SetValue(prefs::kSigninAllowed, base::Value(false));
+        break;
+    }
+  }
+}
+
+}  // namespace policy
--- a/ios/chrome/browser/policy/browser_signin_policy_handler.h
+++ b/ios/chrome/browser/policy/browser_signin_policy_handler.h
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef IOS_CHROME_BROWSER_POLICY_BROWSER_SIGNIN_POLICY_HANDLER_H_
+#define IOS_CHROME_BROWSER_POLICY_BROWSER_SIGNIN_POLICY_HANDLER_H_
+
+#include "components/policy/core/browser/configuration_policy_handler.h"
+
+namespace policy {
+// Values for the BrowserSignin policy.
+// VALUES MUST COINCIDE WITH THE BrowserSignin POLICY DEFINITION.
+enum class BrowserSigninMode {
+  kDisabled = 0,
+  kEnabled = 1,
+  kForced = 2,
+};
+
+// Policy handler for the BrowserSignin policy.
+class BrowserSigninPolicyHandler : public SchemaValidatingPolicyHandler {
+ public:
+  explicit BrowserSigninPolicyHandler(Schema chrome_schema);
+  BrowserSigninPolicyHandler(const BrowserSigninPolicyHandler&) = delete;
+  BrowserSigninPolicyHandler& operator=(const BrowserSigninPolicyHandler&) =
+      delete;
+  ~BrowserSigninPolicyHandler() override;
+
+  // ConfigurationPolicyHandler methods:
+  bool CheckPolicySettings(const policy::PolicyMap& policies,
+                           policy::PolicyErrorMap* errors) override;
+  void ApplyPolicySettings(const PolicyMap& policies,
+                           PrefValueMap* prefs) override;
+};
+
+}  // namespace policy
+
+#endif  // IOS_CHROME_BROWSER_POLICY_BROWSER_SIGNIN_POLICY_HANDLER_H_
\ No newline at end of file
--- a/ios/chrome/browser/policy/configuration_policy_handler_list_factory.mm
+++ b/ios/chrome/browser/policy/configuration_policy_handler_list_factory.mm
@@ -26,6 +26,7 @@
 #include "components/translate/core/browser/translate_pref_names.h"
 #include "components/variations/pref_names.h"
 #include "components/variations/service/variations_service.h"
+#include "ios/chrome/browser/policy/browser_signin_policy_handler.h"
 #include "ios/chrome/browser/policy/policy_features.h"
 #include "ios/chrome/browser/pref_names.h"

@@ -130,6 +131,11 @@ std::unique_ptr<policy::ConfigurationPolicyHandlerList> BuildPolicyHandlerList(
      std::make_unique<bookmarks::ManagedBookmarksPolicyHandler>(
          chrome_schema));

+  if (ShouldInstallBrowserSigninPolicyHandler()) {
+    handlers->AddHandler(
+        std::make_unique<policy::BrowserSigninPolicyHandler>(chrome_schema));
+  }
+
  if (ShouldInstallURLBlocklistPolicyHandlers()) {
    handlers->AddHandler(std::make_unique<policy::URLBlocklistPolicyHandler>(
        policy::key::kURLBlocklist));

--- a/ios/chrome/browser/policy/policy_features.cc
+++ b/ios/chrome/browser/policy/policy_features.cc
@@ -63,6 +63,10 @@ bool IsManagedBookmarksEnabled() {
  return base::FeatureList::IsEnabled(kManagedBookmarksIOS);
 }

+bool ShouldInstallBrowserSigninPolicyHandler() {
+  return HasSwitch(switches::kInstallBrowserSigninHandler);
+}
+
 bool ShouldInstallURLBlocklistPolicyHandlers() {
  return HasSwitch(switches::kInstallURLBlocklistHandlers);
 }

--- a/ios/chrome/browser/policy/policy_features.h
+++ b/ios/chrome/browser/policy/policy_features.h
@@ -39,6 +39,10 @@ bool IsIncognitoModeAvailable();
 // policy data and make it user visible.
 bool ShouldInstallEnterprisePolicyHandlers();

+// Returns true if the BrowserSignin policy handler should be installed to
+// parse policy data and make it user visible.
+bool ShouldInstallBrowserSigninPolicyHandler();
+
 // Returns true if the ManagedBookmarks policy handler should be installed to
 // parse policy data and make it user visible.
 bool ShouldInstallManagedBookmarksPolicyHandler();

--- a/ios/chrome/browser/policy/policy_unittest.mm
+++ b/ios/chrome/browser/policy/policy_unittest.mm
@@ -37,6 +37,8 @@ class PolicyTest : public PlatformTest {
  PolicyTest() {
    base::CommandLine::ForCurrentProcess()->AppendSwitch(
        switches::kEnableEnterprisePolicy);
+    base::CommandLine::ForCurrentProcess()->AppendSwitch(
+        switches::kInstallBrowserSigninHandler);
    base::CommandLine::ForCurrentProcess()->AppendSwitch(
        switches::kInstallURLBlocklistHandlers);
  }

--- a/ios/chrome/test/data/policy/policy_test_cases.json
+++ b/ios/chrome/test/data/policy/policy_test_cases.json
@@ -46,6 +46,18 @@
    ]
  },

+  "BrowserSignin.SigninDisabled": {
+    "os": [
+      "ios"
+    ],
+    "policy_pref_mapping_tests": [
+      {
+        "policies": { "BrowserSignin": 0 },
+        "prefs": { "signin.allowed": {} }
+      }
+    ]
+  },
+
  "CloudManagementEnrollmentToken": {},

  "CloudReportingEnabled": {