CrOS login: Use Views pods to check owner credentials.

During Kiosk app launch we might need to configure network. This is
guarded by the owner authentication (in case of consumer kiosk). Before
this CL it used WebUI AccountPicker screen.
This CL moves it to the current User pod screen implementation

Bug: 1071779
Change-Id: Iaa1665e8d588d4df0beb5459365159a8292c08f9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2540983
Commit-Queue: Roman Sorokin [CET] <rsorokin@chromium.org>
Commit-Queue: Denis Kuznetsov [CET] <antrim@chromium.org>
Reviewed-by: Denis Kuznetsov [CET] <antrim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#829187}

chrome/browser/chromeos/BUILD.gn

@@ -1536,8 +1536,6 @@ source_set("chromeos") {
     "lock_screen_apps/toast_dialog_view.h",
     "logging.cc",
     "logging.h",
-    "login/app_mode/app_launch_signin_screen.cc",
-    "login/app_mode/app_launch_signin_screen.h",
     "login/app_mode/kiosk_launch_controller.cc",
     "login/app_mode/kiosk_launch_controller.h",
     "login/auth/auth_prewarmer.cc",

chrome/browser/chromeos/login/app_mode/app_launch_signin_screen.cc

-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "chrome/browser/chromeos/login/app_mode/app_launch_signin_screen.h"
-
-#include <memory>
-#include <utility>
-
-#include "base/bind.h"
-#include "base/values.h"
-#include "chrome/browser/chromeos/login/help_app_launcher.h"
-#include "chrome/browser/chromeos/login/screens/user_selection_screen.h"
-#include "chrome/browser/chromeos/login/session/user_session_manager.h"
-#include "chrome/browser/ui/webui/chromeos/login/signin_screen_handler.h"
-#include "chrome/grit/generated_resources.h"
-#include "chromeos/components/proximity_auth/screenlock_bridge.h"
-#include "chromeos/login/auth/user_context.h"
-#include "components/user_manager/user_manager.h"
-#include "content/public/browser/browser_task_traits.h"
-#include "content/public/browser/browser_thread.h"
-#include "content/public/browser/web_ui.h"
-#include "ui/base/l10n/l10n_util.h"
-
-namespace chromeos {
-
-user_manager::UserManager* AppLaunchSigninScreen::test_user_manager_ = NULL;
-
-AppLaunchSigninScreen::AppLaunchSigninScreen(OobeUI* oobe_ui,
-                                             Delegate* delegate)
-    : oobe_ui_(oobe_ui), delegate_(delegate), webui_handler_(NULL) {}
-
-AppLaunchSigninScreen::~AppLaunchSigninScreen() {
-  oobe_ui_->ResetSigninScreenHandlerDelegate();
-}
-
-void AppLaunchSigninScreen::Show() {
-  InitOwnerUserList();
-  oobe_ui_->web_ui()->CallJavascriptFunctionUnsafe(
-      "login.AccountPickerScreen.setShouldShowApps", base::Value(false));
-  oobe_ui_->ShowSigninScreen(this);
-}
-
-void AppLaunchSigninScreen::InitOwnerUserList() {
-  user_manager::UserManager* user_manager = GetUserManager();
-  const std::string& owner_email =
-      user_manager->GetOwnerAccountId().GetUserEmail();
-  const user_manager::UserList& all_users = user_manager->GetUsers();
-
-  owner_user_list_.clear();
-  for (user_manager::UserList::const_iterator it = all_users.begin();
-       it != all_users.end(); ++it) {
-    user_manager::User* user = *it;
-    if (user->GetAccountId().GetUserEmail() == owner_email) {
-      owner_user_list_.push_back(user);
-      break;
-    }
-  }
-}
-
-// static
-void AppLaunchSigninScreen::SetUserManagerForTesting(
-    user_manager::UserManager* user_manager) {
-  test_user_manager_ = user_manager;
-}
-
-user_manager::UserManager* AppLaunchSigninScreen::GetUserManager() {
-  return test_user_manager_ ? test_user_manager_
-                            : user_manager::UserManager::Get();
-}
-
-void AppLaunchSigninScreen::CancelUserAdding() {
-  NOTREACHED();
-}
-
-void AppLaunchSigninScreen::Login(const UserContext& user_context,
-                                  const SigninSpecifics& specifics) {
-  // Note: CreateAuthenticator doesn't necessarily create
-  // a new Authenticator object, and could reuse an existing one.
-  authenticator_ = UserSessionManager::GetInstance()->CreateAuthenticator(this);
-  content::GetUIThreadTaskRunner({})->PostTask(
-      FROM_HERE, base::BindOnce(&Authenticator::AuthenticateToUnlock,
-                                authenticator_.get(), user_context));
-}
-
-void AppLaunchSigninScreen::OnSigninScreenReady() {}
-
-void AppLaunchSigninScreen::ShowEnterpriseEnrollmentScreen() {
-  NOTREACHED();
-}
-
-void AppLaunchSigninScreen::ShowKioskEnableScreen() {
-  NOTREACHED();
-}
-
-void AppLaunchSigninScreen::ShowKioskAutolaunchScreen() {
-  NOTREACHED();
-}
-
-void AppLaunchSigninScreen::ShowWrongHWIDScreen() {
-  NOTREACHED();
-}
-
-void AppLaunchSigninScreen::SetWebUIHandler(
-    LoginDisplayWebUIHandler* webui_handler) {
-  webui_handler_ = webui_handler;
-}
-
-const user_manager::UserList& AppLaunchSigninScreen::GetUsers() const {
-  if (test_user_manager_) {
-    return test_user_manager_->GetUsers();
-  }
-  return owner_user_list_;
-}
-
-bool AppLaunchSigninScreen::IsShowUsers() const {
-  return true;
-}
-
-bool AppLaunchSigninScreen::ShowUsersHasChanged() const {
-  return false;
-}
-
-bool AppLaunchSigninScreen::AllowNewUserChanged() const {
-  return false;
-}
-
-bool AppLaunchSigninScreen::IsSigninInProgress() const {
-  // Return true to suppress network processing in the signin screen.
-  return true;
-}
-
-bool AppLaunchSigninScreen::IsUserSigninCompleted() const {
-  return false;
-}
-
-void AppLaunchSigninScreen::OnAuthFailure(const AuthFailure& error) {
-  LOG(ERROR) << "Unlock failure: " << error.reason();
-  webui_handler_->ClearAndEnablePassword();
-  webui_handler_->ShowError(
-      0, l10n_util::GetStringUTF8(IDS_LOGIN_ERROR_AUTHENTICATING_KIOSK),
-      std::string(), HelpAppLauncher::HELP_CANT_ACCESS_ACCOUNT);
-}
-
-void AppLaunchSigninScreen::OnAuthSuccess(const UserContext& user_context) {
-  delegate_->OnOwnerSigninSuccess();
-}
-
-void AppLaunchSigninScreen::HandleGetUsers() {
-  base::ListValue users_list;
-  const user_manager::UserList& users = GetUsers();
-
-  for (user_manager::UserList::const_iterator it = users.begin();
-       it != users.end(); ++it) {
-    proximity_auth::mojom::AuthType initial_auth_type =
-        UserSelectionScreen::ShouldForceOnlineSignIn(*it)
-            ? proximity_auth::mojom::AuthType::ONLINE_SIGN_IN
-            : proximity_auth::mojom::AuthType::OFFLINE_PASSWORD;
-    auto user_dict = std::make_unique<base::DictionaryValue>();
-    UserSelectionScreen::FillUserDictionary(
-        *it, true,               /* is_owner */
-        false,                   /* is_signin_to_add */
-        initial_auth_type, NULL, /* public_session_recommended_locales */
-        user_dict.get());
-    users_list.Append(std::move(user_dict));
-  }
-
-  webui_handler_->LoadUsers(users, users_list);
-}
-
-void AppLaunchSigninScreen::CheckUserStatus(const AccountId& account_id) {}
-
-}  // namespace chromeos

chrome/browser/chromeos/login/app_mode/app_launch_signin_screen.h

-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef CHROME_BROWSER_CHROMEOS_LOGIN_APP_MODE_APP_LAUNCH_SIGNIN_SCREEN_H_
-#define CHROME_BROWSER_CHROMEOS_LOGIN_APP_MODE_APP_LAUNCH_SIGNIN_SCREEN_H_
-
-#include <string>
-
-#include "base/macros.h"
-#include "base/memory/ref_counted.h"
-#include "chrome/browser/ui/webui/chromeos/login/signin_screen_handler.h"
-#include "chromeos/components/proximity_auth/screenlock_bridge.h"
-#include "chromeos/login/auth/auth_status_consumer.h"
-#include "chromeos/login/auth/authenticator.h"
-#include "components/user_manager/user.h"
-#include "components/user_manager/user_manager.h"
-
-class AccountId;
-
-namespace chromeos {
-
-class OobeUI;
-
-// The app launch signin screen shows the user pod of the device owner
-// and requires the user to login in order to access the network dialog.
-// This screen is quite similar to the standard lock screen, but we do not
-// create a new view to superimpose over the desktop.
-//
-// TODO(tengs): This class doesn't quite follow the idiom of the other
-// screen classes, as SigninScreenHandler is very tightly coupled with
-// the login screen. We should do some refactoring in this area.
-class AppLaunchSigninScreen : public SigninScreenHandlerDelegate,
-                              public AuthStatusConsumer {
- public:
-  class Delegate {
-   public:
-    virtual void OnOwnerSigninSuccess() = 0;
-
-   protected:
-    virtual ~Delegate() {}
-  };
-
-  AppLaunchSigninScreen(OobeUI* oobe_ui, Delegate* delegate);
-  ~AppLaunchSigninScreen() override;
-
-  void Show();
-
-  static void SetUserManagerForTesting(user_manager::UserManager* user_manager);
-
- private:
-  void InitOwnerUserList();
-  user_manager::UserManager* GetUserManager();
-  const user_manager::UserList& GetUsers() const;
-
-  // SigninScreenHandlerDelegate implementation:
-  void CancelUserAdding() override;
-  void Login(const UserContext& user_context,
-             const SigninSpecifics& specifics) override;
-  void OnSigninScreenReady() override;
-  void ShowEnterpriseEnrollmentScreen() override;
-  void ShowKioskEnableScreen() override;
-  void ShowKioskAutolaunchScreen() override;
-  void ShowWrongHWIDScreen() override;
-  void SetWebUIHandler(LoginDisplayWebUIHandler* webui_handler) override;
-  bool IsShowUsers() const override;
-  bool ShowUsersHasChanged() const override;
-  bool AllowNewUserChanged() const override;
-  bool IsSigninInProgress() const override;
-  bool IsUserSigninCompleted() const override;
-  void HandleGetUsers() override;
-  void CheckUserStatus(const AccountId& account_id) override;
-
-  // AuthStatusConsumer implementation:
-  void OnAuthFailure(const AuthFailure& error) override;
-  void OnAuthSuccess(const UserContext& user_context) override;
-
-  OobeUI* oobe_ui_;
-  Delegate* delegate_;
-  LoginDisplayWebUIHandler* webui_handler_;
-  scoped_refptr<Authenticator> authenticator_;
-
-  // This list should have at most one user, and that user should be the owner.
-  user_manager::UserList owner_user_list_;
-
-  static user_manager::UserManager* test_user_manager_;
-
-  DISALLOW_COPY_AND_ASSIGN(AppLaunchSigninScreen);
-};
-
-}  // namespace chromeos
-
-#endif  // CHROME_BROWSER_CHROMEOS_LOGIN_APP_MODE_APP_LAUNCH_SIGNIN_SCREEN_H_

chrome/browser/chromeos/login/app_mode/kiosk_launch_controller.cc

@@ -115,7 +115,6 @@ class ArcKioskAppServiceWrapper : public KioskAppLauncher {
 
 KioskLaunchController::KioskLaunchController(OobeUI* oobe_ui)
     : host_(LoginDisplayHost::default_host()),
-      oobe_ui_(oobe_ui),
       splash_screen_view_(oobe_ui->GetView<AppLaunchSplashScreenHandler>()) {}
 
 KioskLaunchController::KioskLaunchController() : host_(nullptr) {}
@@ -206,8 +205,9 @@ void KioskLaunchController::OnConfigureNetwork() {
 
   network_ui_state_ = NetworkUIState::SHOWING;
   if (CanConfigureNetwork() && NeedOwnerAuthToConfigureNetwork()) {
-    signin_screen_.reset(new AppLaunchSigninScreen(oobe_ui_, this));
-    signin_screen_->Show();
+    host_->VerifyOwnerForKiosk(
+        base::BindOnce(&KioskLaunchController::OnOwnerSigninSuccess,
+                       weak_ptr_factory_.GetWeakPtr()));
   } else {
     // If kiosk mode was configured through enterprise policy, we may
     // not have an owner user.
@@ -464,7 +464,6 @@ void KioskLaunchController::OnOldEncryptionDetected(
 
 void KioskLaunchController::OnOwnerSigninSuccess() {
   ShowNetworkConfigureUI();
-  signin_screen_.reset();
 }
 
 bool KioskLaunchController::CanConfigureNetwork() {

chrome/browser/chromeos/login/app_mode/kiosk_launch_controller.h

@@ -8,7 +8,6 @@
 #include "chrome/browser/chromeos/app_mode/kiosk_app_launcher.h"
 #include "chrome/browser/chromeos/app_mode/kiosk_app_types.h"
 #include "chrome/browser/chromeos/app_mode/kiosk_profile_loader.h"
-#include "chrome/browser/chromeos/login/app_mode/app_launch_signin_screen.h"
 #include "chrome/browser/ui/webui/chromeos/login/app_launch_splash_screen_handler.h"
 
 namespace chromeos {
@@ -53,8 +52,7 @@ class OobeUI;
 // NetworkUI state.
 class KioskLaunchController : public KioskProfileLoader::Delegate,
                               public AppLaunchSplashScreenView::Delegate,
-                              public KioskAppLauncher::Delegate,
-                              public AppLaunchSigninScreen::Delegate {
+                              public KioskAppLauncher::Delegate {
  public:
   using ReturnBoolCallback = base::Callback<bool()>;
 
@@ -138,8 +136,7 @@ class KioskLaunchController : public KioskProfileLoader::Delegate,
   void OnProfileLoadFailed(KioskAppLaunchError::Error error) override;
   void OnOldEncryptionDetected(const UserContext& user_context) override;
 
-  // AppLaunchSigninScreen::Delegate:
-  void OnOwnerSigninSuccess() override;
+  void OnOwnerSigninSuccess();
 
   // Whether the network could be configured during launching.
   bool CanConfigureNetwork();
@@ -166,7 +163,6 @@ class KioskLaunchController : public KioskProfileLoader::Delegate,
   NetworkUIState network_ui_state_ = NetworkUIState::NOT_SHOWING;
 
   LoginDisplayHost* const host_;  // Not owned, destructed upon shutdown.
-  OobeUI* oobe_ui_ = nullptr;
   AppLaunchSplashScreenView* splash_screen_view_ = nullptr;  // Owned by OobeUI.
   KioskAppId kiosk_app_id_;                                  // Current app.
   Profile* profile_ = nullptr;                               // Not owned.
@@ -179,7 +175,6 @@ class KioskLaunchController : public KioskProfileLoader::Delegate,
 
   // Used to login into kiosk user profile.
   std::unique_ptr<KioskProfileLoader> kiosk_profile_loader_;
-  std::unique_ptr<AppLaunchSigninScreen> signin_screen_;
 
   // A timer to ensure the app splash is shown for a minimum amount of time.
   base::OneShotTimer splash_wait_timer_;

chrome/browser/chromeos/login/ui/fake_login_display_host.cc

@@ -139,6 +139,8 @@ bool FakeLoginDisplayHost::HasUserPods() {
   return false;
 }
 
+void FakeLoginDisplayHost::VerifyOwnerForKiosk(base::OnceClosure) {}
+
 void FakeLoginDisplayHost::AddObserver(LoginDisplayHost::Observer* observer) {}
 
 void FakeLoginDisplayHost::RemoveObserver(

chrome/browser/chromeos/login/ui/fake_login_display_host.h

@@ -66,6 +66,7 @@ class FakeLoginDisplayHost : public LoginDisplayHost {
   void UpdateAddUserButtonStatus() override;
   void RequestSystemInfoUpdate() override;
   bool HasUserPods() override;
+  void VerifyOwnerForKiosk(base::OnceClosure on_success) override;
   void AddObserver(LoginDisplayHost::Observer* observer) override;
   void RemoveObserver(LoginDisplayHost::Observer* observer) override;
 

chrome/browser/chromeos/login/ui/login_display_host.h

@@ -213,6 +213,8 @@ class LoginDisplayHost {
   // Returns if the device has any user after filtering based on policy.
   virtual bool HasUserPods() = 0;
 
+  virtual void VerifyOwnerForKiosk(base::OnceClosure on_success) = 0;
+
   // Used to add an observer for the changes in the web dilaog login view.
   virtual void AddObserver(Observer* observer) = 0;
   virtual void RemoveObserver(Observer* observer) = 0;

chrome/browser/chromeos/login/ui/login_display_host_mojo.cc

@@ -43,6 +43,7 @@
 #include "components/user_manager/user.h"
 #include "components/user_manager/user_manager.h"
 #include "components/user_manager/user_names.h"
+#include "content/public/browser/browser_task_traits.h"
 #include "google_apis/gaia/gaia_auth_util.h"
 #include "ui/aura/window.h"
 #include "ui/views/view.h"
@@ -356,6 +357,20 @@ bool LoginDisplayHostMojo::HasUserPods() {
   return user_count_ > 0;
 }
 
+void LoginDisplayHostMojo::VerifyOwnerForKiosk(base::OnceClosure on_success) {
+  // This UI is specific fo the consumer kiosk. We hide all the pods except for
+  // the owner. User can't go back to the normal user screen from this. App
+  // launch cancellation results in the Chrome restart (see
+  // KioskLaunchController::OnCancelAppLaunch).
+  CHECK(GetKioskLaunchController());
+  DCHECK(!owner_verified_callback_);
+  owner_verified_callback_ = std::move(on_success);
+  owner_account_id_ = user_manager::UserManager::Get()->GetOwnerAccountId();
+  CHECK(owner_account_id_.is_valid());
+  login_display_->ShowOwnerPod(owner_account_id_);
+  HideOobeDialog();
+}
+
 void LoginDisplayHostMojo::AddObserver(LoginDisplayHost::Observer* observer) {
   observers_.AddObserver(observer);
 }
@@ -403,6 +418,11 @@ void LoginDisplayHostMojo::HandleAuthenticateUserWithPasswordOrPin(
     user_context.SetIsUsingOAuth(false);
   }
 
+  if (owner_verified_callback_) {
+    CheckOwnerCredentials(user_context);
+    return;
+  }
+
   existing_user_controller_->Login(user_context, chromeos::SigninSpecifics());
 }
 
@@ -616,4 +636,25 @@ void LoginDisplayHostMojo::CreateExistingUserController() {
   existing_user_controller_->AddLoginStatusConsumer(this);
 }
 
+void LoginDisplayHostMojo::CheckOwnerCredentials(
+    const UserContext& user_context) {
+  CHECK_EQ(owner_account_id_, user_context.GetAccountId());
+  if (!extended_authenticator_)
+    extended_authenticator_ = ExtendedAuthenticator::Create(this);
+
+  content::GetUIThreadTaskRunner({})->PostTask(
+      FROM_HERE,
+      base::BindOnce(&ExtendedAuthenticator::AuthenticateToCheck,
+                     extended_authenticator_.get(), user_context,
+                     base::BindOnce(&LoginDisplayHostMojo::OnOwnerSigninSuccess,
+                                    base::Unretained(this))));
+}
+
+void LoginDisplayHostMojo::OnOwnerSigninSuccess() {
+  DCHECK(owner_verified_callback_);
+  std::move(owner_verified_callback_).Run();
+  extended_authenticator_.reset();
+  ShowFullScreen();
+}
+
 }  // namespace chromeos

chrome/browser/chromeos/login/ui/login_display_host_mojo.h

@@ -94,6 +94,7 @@ class LoginDisplayHostMojo : public LoginDisplayHostCommon,
   void UpdateAddUserButtonStatus() override;
   void RequestSystemInfoUpdate() override;
   bool HasUserPods() override;
+  void VerifyOwnerForKiosk(base::OnceClosure on_success) override;
   void AddObserver(LoginDisplayHost::Observer* observer) override;
   void RemoveObserver(LoginDisplayHost::Observer* observer) override;
 
@@ -163,6 +164,10 @@ class LoginDisplayHostMojo : public LoginDisplayHostCommon,
   // consume auth status events.
   void CreateExistingUserController();
 
+  // Consumer kiosk owner authentication functions.
+  void CheckOwnerCredentials(const UserContext& user_context);
+  void OnOwnerSigninSuccess();
+
   // State associated with a pending authentication attempt.
   struct AuthState {
     AuthState(AccountId account_id, base::OnceCallback<void(bool)> callback);
@@ -214,6 +219,11 @@ class LoginDisplayHostMojo : public LoginDisplayHostCommon,
   // Store which screen is currently displayed.
   DisplayedScreen displayed_screen_ = DisplayedScreen::SIGN_IN_SCREEN;
 
+  // Consumer kiosk owner fields.
+  AccountId owner_account_id_;
+  base::OnceClosure owner_verified_callback_;
+  scoped_refptr<ExtendedAuthenticator> extended_authenticator_;
+
   ScopedObserver<views::View, views::ViewObserver> scoped_observer_{this};
 
   base::ObserverList<LoginDisplayHost::Observer> observers_;

chrome/browser/chromeos/login/ui/login_display_host_webui.cc

@@ -1031,6 +1031,10 @@ bool LoginDisplayHostWebUI::HasUserPods() {
   return false;
 }
 
+void LoginDisplayHostWebUI::VerifyOwnerForKiosk(base::OnceClosure) {
+  NOTREACHED();
+}
+
 void LoginDisplayHostWebUI::AddObserver(LoginDisplayHost::Observer* observer) {
   observers_.AddObserver(observer);
 }

chrome/browser/chromeos/login/ui/login_display_host_webui.h

@@ -89,6 +89,7 @@ class LoginDisplayHostWebUI : public LoginDisplayHostCommon,
   void RequestSystemInfoUpdate() override;
   void OnCancelPasswordChangedFlow() override;
   bool HasUserPods() override;
+  void VerifyOwnerForKiosk(base::OnceClosure) override;
   void AddObserver(LoginDisplayHost::Observer* observer) override;
   void RemoveObserver(LoginDisplayHost::Observer* observer) override;
 

chrome/browser/chromeos/login/ui/login_display_mojo.cc

@@ -280,6 +280,35 @@ void LoginDisplayMojo::OnUserImageChanged(const user_manager::User& user) {
       UserSelectionScreen::BuildAshUserAvatarForUser(user));
 }
 
+void LoginDisplayMojo::ShowOwnerPod(const AccountId& owner) {
+  const user_manager::User* device_owner =
+      user_manager::UserManager::Get()->FindUser(owner);
+  CHECK(device_owner);
+
+  std::vector<ash::LoginUserInfo> user_info_list;
+  ash::LoginUserInfo user_info;
+  user_info.basic_user_info.type = device_owner->GetType();
+  user_info.basic_user_info.account_id = device_owner->GetAccountId();
+  user_info.basic_user_info.display_name =
+      base::UTF16ToUTF8(device_owner->GetDisplayName());
+  user_info.basic_user_info.display_email = device_owner->display_email();
+  user_info.basic_user_info.avatar =
+      UserSelectionScreen::BuildAshUserAvatarForUser(*device_owner);
+  user_info.auth_type = proximity_auth::mojom::AuthType::OFFLINE_PASSWORD;
+  user_info.is_signed_in = device_owner->is_logged_in();
+  user_info.is_device_owner = true;
+  user_info.can_remove = false;
+  user_info_list.push_back(user_info);
+
+  ash::LoginScreen::Get()->GetModel()->SetUserList(user_info_list);
+  ash::LoginScreen::Get()->SetAllowLoginAsGuest(false);
+  ash::LoginScreen::Get()->EnableAddUserButton(false);
+
+  // Disable PIN.
+  ash::LoginScreen::Get()->GetModel()->SetPinEnabledForUser(owner,
+                                                            /*enabled=*/false);
+}
+
 void LoginDisplayMojo::OnPinCanAuthenticate(const AccountId& account_id,
                                             bool can_authenticate) {
   ash::LoginScreen::Get()->GetModel()->SetPinEnabledForUser(account_id,

chrome/browser/chromeos/login/ui/login_display_mojo.h

@@ -67,6 +67,8 @@ class LoginDisplayMojo : public LoginDisplay,
   // user_manager::UserManager::Observer:
   void OnUserImageChanged(const user_manager::User& user) override;
 
+  void ShowOwnerPod(const AccountId& owner);
+
  private:
   void OnPinCanAuthenticate(const AccountId& account_id, bool can_authenticate);
 

chrome/browser/chromeos/login/ui/mock_login_display_host.h

@@ -89,6 +89,7 @@ class MockLoginDisplayHost : public LoginDisplayHost {
   MOCK_METHOD(void, UpdateAddUserButtonStatus, (), (override));
   MOCK_METHOD(void, RequestSystemInfoUpdate, (), (override));
   MOCK_METHOD(bool, HasUserPods, (), (override));
+  MOCK_METHOD(void, VerifyOwnerForKiosk, (base::OnceClosure), (override));
   MOCK_METHOD(void, AddObserver, (LoginDisplayHost::Observer*), (override));
   MOCK_METHOD(void, RemoveObserver, (LoginDisplayHost::Observer*), (override));