Add supervised argument in the X-Chrome-Connected header.

This CL adds a "supervised" argument to the X-Chrome-Connected header when the account that is signed in to Chrome is a child account. Design document (Google internal): https://docs.google.com/document/d/1u5PUBIeTxXiKSpqJHDiSuc9hJ2Y9_Te4ja5eJdLfZk4/edit?usp=sharing Bug: 1103228 Change-Id: Ic90021207213d926ed2dbb54b78eb4d9559a0da3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2431524 Commit-Queue: Mihai Sardarescu <msarda@chromium.org> Reviewed-by: Jochen Eisinger <jochen@chromium.org> Cr-Commit-Position: refs/heads/master@{#813007}

Add supervised argument in the X-Chrome-Connected header.
This CL adds a "supervised" argument to the X-Chrome-Connected header when the account that is signed in to Chrome is a child account. Design document (Google internal): https://docs.google.com/document/d/1u5PUBIeTxXiKSpqJHDiSuc9hJ2Y9_Te4ja5eJdLfZk4/edit?usp=sharing Bug: 1103228 Change-Id: Ic90021207213d926ed2dbb54b78eb4d9559a0da3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2431524 Commit-Queue: Mihai Sardarescu <msarda@chromium.org> Reviewed-by: Jochen Eisinger <jochen@chromium.org> Cr-Commit-Position: refs/heads/master@{#813007}
f6f7990d · Mihai Sardarescu · Commit Bot · 800d41ac · f6f7990d · f6f7990d
Commit f6f7990d authored Oct 02, 2020 by Mihai Sardarescu Committed by Commit Bot Oct 02, 2020
11 changed files
--- a/chrome/browser/search/one_google_bar/one_google_bar_loader_impl.cc
+++ b/chrome/browser/search/one_google_bar/one_google_bar_loader_impl.cc
@@ -204,11 +204,16 @@ void OneGoogleBarLoaderImpl::AuthenticatedURLLoader::SetRequestHeaders(
    profile_mode = signin::PROFILE_MODE_INCOGNITO_DISABLED |
                   signin::PROFILE_MODE_ADD_ACCOUNT_DISABLED;
  }
+
+  // TODO(crbug.com/1134045): Check whether the child account status should also
+  // be sent in the Mirror request header when loading the local version of
+  // OneGoogleBar.
  std::string chrome_connected_header_value =
      chrome_connected_header_helper.BuildRequestHeader(
          /*is_header_request=*/true, api_url_,
          // Gaia ID is only needed for (drive|docs).google.com.
-          /*gaia_id=*/std::string(), profile_mode,
+          /*gaia_id=*/std::string(),
+          /* is_child_account=*/base::nullopt, profile_mode,
          signin::kChromeMirrorHeaderSource,
          /*force_account_consistency=*/false);
  if (!chrome_connected_header_value.empty()) {

--- a/chrome/browser/signin/chrome_signin_helper.cc
+++ b/chrome/browser/signin/chrome_signin_helper.cc
@@ -500,6 +500,7 @@ void FixAccountConsistencyRequestHeader(
    int incognito_availibility,
    AccountConsistencyMethod account_consistency,
    std::string gaia_id,
+    const base::Optional<bool>& is_child_account,
 #if defined(OS_CHROMEOS)
    bool is_secondary_account_addition_allowed,
 #endif
@@ -547,8 +548,8 @@ void FixAccountConsistencyRequestHeader(

  // Mirror header:
  AppendOrRemoveMirrorRequestHeader(
-      request, redirect_url, gaia_id, account_consistency, cookie_settings,
-      profile_mode_mask, kChromeMirrorHeaderSource,
+      request, redirect_url, gaia_id, is_child_account, account_consistency,
+      cookie_settings, profile_mode_mask, kChromeMirrorHeaderSource,
      /*force_account_consistency=*/false);
 }


--- a/chrome/browser/signin/chrome_signin_helper.h
+++ b/chrome/browser/signin/chrome_signin_helper.h
@@ -95,6 +95,7 @@ void FixAccountConsistencyRequestHeader(
    int incognito_availibility,
    AccountConsistencyMethod account_consistency,
    std::string gaia_id,
+    const base::Optional<bool>& is_child_account,
 #if defined(OS_CHROMEOS)
    bool is_secondary_account_addition_allowed,
 #endif

--- a/chrome/browser/signin/chromeos_mirror_account_consistency_browsertest.cc
+++ b/chrome/browser/signin/chromeos_mirror_account_consistency_browsertest.cc
@@ -126,11 +126,16 @@ IN_PROC_BROWSER_TEST_F(ChromeOsMirrorAccountConsistencyTest,
  PrefService* prefs = profile->GetPrefs();
  prefs->SetInteger(prefs::kIncognitoModeAvailability,
                    IncognitoModePrefs::DISABLED);
-
  ASSERT_EQ(1, signin::PROFILE_MODE_INCOGNITO_DISABLED);
+
+  // TODO(http://crbug.com/1134144): This test seems to test supervised profiles
+  // instead of child accounts. With the current implementation,
+  // X-Chrome-Connected header gets a supervised=true argument only for child
+  // profiles. Verify if these tests needs to be updated to use child accounts
+  // or whether supervised profiles need to be supported as well.
  TestMirrorRequestForProfile(
      test_server_.get(), profile,
-      "source=Chrome,mode=1,enable_account_consistency=true,"
+      "source=Chrome,mode=1,enable_account_consistency=true,supervised=false,"
      "consistency_enabled_by_default=false");
 }

@@ -150,6 +155,6 @@ IN_PROC_BROWSER_TEST_F(ChromeOsMirrorAccountConsistencyTest,
      AccountConsistencyModeManager::IsMirrorEnabledForProfile(profile));
  TestMirrorRequestForProfile(
      test_server_.get(), profile,
-      "source=Chrome,mode=0,enable_account_consistency=true,"
+      "source=Chrome,mode=0,enable_account_consistency=true,supervised=false,"
      "consistency_enabled_by_default=false");
 }
--- a/chrome/browser/signin/header_modification_delegate_impl.cc
+++ b/chrome/browser/signin/header_modification_delegate_impl.cc
@@ -72,13 +72,26 @@ void HeaderModificationDelegateImpl::ProcessRequest(
    consent_level = ConsentLevel::kNotRequired;
 #endif

+  IdentityManager* identity_manager =
+      IdentityManagerFactory::GetForProfile(profile_);
+  CoreAccountInfo account =
+      identity_manager->GetPrimaryAccountInfo(consent_level);
+  base::Optional<bool> is_child_account = base::nullopt;
+  if (!account.IsEmpty()) {
+    base::Optional<AccountInfo> extended_account_info =
+        identity_manager->FindExtendedAccountInfoForAccountWithRefreshToken(
+            account);
+    if (extended_account_info.has_value()) {
+      is_child_account = base::make_optional<bool>(
+          extended_account_info.value().is_child_account);
+    }
+  }
+
  FixAccountConsistencyRequestHeader(
      request_adapter, redirect_url, profile_->IsOffTheRecord(),
      prefs->GetInteger(prefs::kIncognitoModeAvailability),
      AccountConsistencyModeManager::GetMethodForProfile(profile_),
-      IdentityManagerFactory::GetForProfile(profile_)
-          ->GetPrimaryAccountInfo(consent_level)
-          .gaia,
+      account.gaia, is_child_account,
 #if defined(OS_CHROMEOS)
      is_secondary_account_addition_allowed,
 #endif

--- a/components/signin/core/browser/chrome_connected_header_helper.cc
+++ b/components/signin/core/browser/chrome_connected_header_helper.cc
@@ -32,6 +32,7 @@ const char kIsSameTabAttrName[] = "is_same_tab";
 const char kIsSamlAttrName[] = "is_saml";
 const char kProfileModeAttrName[] = "mode";
 const char kServiceTypeAttrName[] = "action";
+const char kSupervisedAttrName[] = "supervised";
 const char kSourceAttrName[] = "source";
 #if defined(OS_ANDROID) || defined(OS_IOS)
 const char kEligibleForConsistency[] = "eligible_for_consistency";
@@ -70,9 +71,13 @@ std::string ChromeConnectedHeaderHelper::BuildRequestCookieIfPossible(
  ChromeConnectedHeaderHelper chrome_connected_helper(account_consistency);
  if (!chrome_connected_helper.ShouldBuildRequestHeader(url, cookie_settings))
    return "";
+
+  // Child accounts are not supported on iOS, so it is preferred to not include
+  // this information in the ChromeConnected cookie.
  return chrome_connected_helper.BuildRequestHeader(
-      false /* is_header_request */, url, gaia_id, profile_mode_mask,
-      "" /* source */, false /* force_account_consistency */);
+      false /* is_header_request */, url, gaia_id,
+      base::nullopt /* is_child_account */, profile_mode_mask, "" /* source */,
+      false /* force_account_consistency */);
 }

 // static
@@ -178,6 +183,7 @@ std::string ChromeConnectedHeaderHelper::BuildRequestHeader(
    bool is_header_request,
    const GURL& url,
    const std::string& gaia_id,
+    const base::Optional<bool>& is_child_account,
    int profile_mode_mask,
    const std::string& source,
    bool force_account_consistency) {
@@ -220,6 +226,11 @@ std::string ChromeConnectedHeaderHelper::BuildRequestHeader(
      account_consistency_ == AccountConsistencyMethod::kMirror;
  parts.push_back(base::StringPrintf("%s=%s", kEnableAccountConsistencyAttrName,
                                     is_mirror_enabled ? "true" : "false"));
+  if (is_child_account.has_value()) {
+    parts.push_back(
+        base::StringPrintf("%s=%s", kSupervisedAttrName,
+                           is_child_account.value() ? "true" : "false"));
+  }
  parts.push_back(base::StringPrintf(
      "%s=%s", kConsistencyEnabledByDefaultAttrName, "false"));


--- a/components/signin/core/browser/chrome_connected_header_helper.h
+++ b/components/signin/core/browser/chrome_connected_header_helper.h
@@ -7,6 +7,7 @@

 #include <string>

+#include "base/optional.h"
 #include "components/signin/core/browser/signin_header_helper.h"
 #include "components/signin/public/base/account_consistency_method.h"

@@ -40,6 +41,7 @@ class ChromeConnectedHeaderHelper : public SigninHeaderHelper {
  std::string BuildRequestHeader(bool is_header_request,
                                 const GURL& url,
                                 const std::string& gaia_id,
+                                 const base::Optional<bool>& is_child_account,
                                 int profile_mode_mask,
                                 const std::string& source,
                                 bool force_account_consistency);

--- a/components/signin/core/browser/signin_header_helper.cc
+++ b/components/signin/core/browser/signin_header_helper.cc
@@ -167,6 +167,7 @@ void AppendOrRemoveMirrorRequestHeader(
    RequestAdapter* request,
    const GURL& redirect_url,
    const std::string& gaia_id,
+    const base::Optional<bool>& is_child_account,
    AccountConsistencyMethod account_consistency,
    const content_settings::CookieSettings* cookie_settings,
    int profile_mode_mask,
@@ -177,8 +178,8 @@ void AppendOrRemoveMirrorRequestHeader(
  std::string chrome_connected_header_value;
  if (chrome_connected_helper.ShouldBuildRequestHeader(url, cookie_settings)) {
    chrome_connected_header_value = chrome_connected_helper.BuildRequestHeader(
-        true /* is_header_request */, url, gaia_id, profile_mode_mask, source,
-        force_account_consistency);
+        true /* is_header_request */, url, gaia_id, is_child_account,
+        profile_mode_mask, source, force_account_consistency);
  }
  chrome_connected_helper.AppendOrRemoveRequestHeader(
      request, redirect_url, kChromeConnectedHeader,

--- a/components/signin/core/browser/signin_header_helper.h
+++ b/components/signin/core/browser/signin_header_helper.h
@@ -238,6 +238,7 @@ void AppendOrRemoveMirrorRequestHeader(
    RequestAdapter* request,
    const GURL& redirect_url,
    const std::string& gaia_id,
+    const base::Optional<bool>& is_child_account,
    AccountConsistencyMethod account_consistency,
    const content_settings::CookieSettings* cookie_settings,
    int profile_mode_mask,

--- a/components/signin/core/browser/signin_header_helper_unittest.cc
+++ b/components/signin/core/browser/signin_header_helper_unittest.cc
--- a/weblayer/browser/signin_url_loader_throttle.cc
+++ b/weblayer/browser/signin_url_loader_throttle.cc
@@ -141,8 +141,12 @@ void SigninURLLoaderThrottle::ProcessRequest(
  // Disable incognito and adding accounts for now. This shouldn't matter in
  // practice though since we are skipping the /SignOutOptions page completely
  // with the manage=true param.
+  //
+  // TODO(crbug.com/1134042): Check whether the child account status should also
+  // be sent in the Mirror request header from WebLayer.
  signin::AppendOrRemoveMirrorRequestHeader(
      &request_adapter, new_url, delegate->GetGaiaId(),
+      base::nullopt /* is_child_account */,
      signin::AccountConsistencyMethod::kMirror,
      CookieSettingsFactory::GetForBrowserContext(browser_context_).get(),
      signin::PROFILE_MODE_INCOGNITO_DISABLED |