Modified permissions to decide the warning of the managed session login

Added a flag to APIPermissions and a function to ManifestPermissions to decide if the permissions should trigger full warning on the login screen of the managed-guest session or not. Bug: 1015378 Change-Id: I6df56a3a4adbbf1468cbaf36929508bcaa17c464 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2060948 Commit-Queue: Aya Elsayed <ayaelattar@google.com> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Cr-Commit-Position: refs/heads/master@{#745401}

Modified permissions to decide the warning of the managed session login
Added a flag to APIPermissions and a function to ManifestPermissions to decide if the permissions should trigger full warning on the login screen of the managed-guest session or not. Bug: 1015378 Change-Id: I6df56a3a4adbbf1468cbaf36929508bcaa17c464 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2060948 Commit-Queue: Aya Elsayed <ayaelattar@google.com> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Cr-Commit-Position: refs/heads/master@{#745401}
fcd04acc · Aya ElAttar · Commit Bot · 53a735ee · fcd04acc · fcd04acc
Commit fcd04acc authored Feb 28, 2020 by Aya ElAttar Committed by Commit Bot Feb 28, 2020
4 changed files
--- a/extensions/common/permissions/api_permission.h
+++ b/extensions/common/permissions/api_permission.h
@@ -393,7 +393,16 @@ class APIPermissionInfo {
    // permissions messages in chrome://management. Reach out to the privacy
    // team when you add a new permission to check whether you should set this
    // flag or not.
-    kFlagRequiresManagementUIWarning = 1 << 6
+    kFlagRequiresManagementUIWarning = 1 << 6,
+
+    // Indicates that the permission shouldn't trigger the full warning on
+    // the login screen of the managed-guest session. See
+    // prefs::kManagedSessionUseFullLoginWarning. Most permissions are
+    // considered powerful enough to warrant the full warning,
+    // so the default for permissions (by not including this flag) is to trigger
+    // it. Reach out to the privacy team when you add a new permission to check
+    // whether you should set this flag or not.
+    kFlagDoesNotRequireManagedSessionFullLoginWarning = 1 << 7
  };

  using APIPermissionConstructor =
@@ -448,11 +457,17 @@ class APIPermissionInfo {
  }

  // Returns true if this permission should trigger a warning on the management
-  // page
+  // page.
  bool requires_management_ui_warning() const {
    return (flags_ & kFlagRequiresManagementUIWarning) != 0;
  }

+  // Returns true if this permission should trigger the full warning on the
+  // login screen of the managed guest session.
+  bool requires_managed_session_full_login_warning() const {
+    return (flags_ & kFlagDoesNotRequireManagedSessionFullLoginWarning) == 0;
+  }
+
 private:
  // Instances should only be constructed from within a PermissionsInfo.
  friend class PermissionsInfo;

--- a/extensions/common/permissions/api_permission_unittest.cc
+++ b/extensions/common/permissions/api_permission_unittest.cc
@@ -13,6 +13,8 @@
 #include "base/path_service.h"
 #include "base/strings/stringprintf.h"
 #include "base/test/metrics/histogram_enum_reader.h"
+#include "extensions/common/alias.h"
+#include "extensions/common/permissions/permissions_info.h"
 #include "testing/gtest/include/gtest/gtest.h"

 namespace extensions {
@@ -52,4 +54,22 @@ TEST(ExtensionAPIPermissionTest, CheckEnums) {
  }
 }

+TEST(ExtensionAPIPermissionTest, ManagedSessionLoginWarningFlag) {
+  PermissionsInfo* info = PermissionsInfo::GetInstance();
+
+  constexpr APIPermissionInfo::InitInfo init_info[] = {
+      {APIPermission::kUnknown, "test permission",
+       APIPermissionInfo::kFlagImpliesFullURLAccess |
+           APIPermissionInfo::
+               kFlagDoesNotRequireManagedSessionFullLoginWarning}};
+
+  info->RegisterPermissions(base::make_span(init_info),
+                            base::span<const extensions::Alias>());
+
+  EXPECT_TRUE(info->GetByID(APIPermission::kAlwaysOnTopWindows)
+                  ->requires_managed_session_full_login_warning());
+  EXPECT_FALSE(info->GetByID(APIPermission::kUnknown)
+                   ->requires_managed_session_full_login_warning());
+}
+
 }  // namespace extensions
--- a/extensions/common/permissions/manifest_permission.cc
+++ b/extensions/common/permissions/manifest_permission.cc
@@ -51,4 +51,8 @@ void ManifestPermission::Log(std::string* log) const {
      *ToValue(), base::JSONWriter::OPTIONS_PRETTY_PRINT, log);
 }

+bool ManifestPermission::RequiresManagedSessionFullLoginWarning() const {
+  return true;
+}
+
 }  // namespace extensions
--- a/extensions/common/permissions/manifest_permission.h
+++ b/extensions/common/permissions/manifest_permission.h
@@ -64,6 +64,11 @@ class ManifestPermission {
  // in chrome://management, set this function to return true.
  virtual bool RequiresManagementUIWarning() const = 0;

+  // Returns true if any of the included permissions should trigger the full
+  // warning on the login screen of the managed-guest session. Reach out to the
+  // privacy team before setting this function to return false.
+  virtual bool RequiresManagedSessionFullLoginWarning() const;
+
  // Returns true if |rhs| is a subset of this.
  bool Contains(const ManifestPermission* rhs) const;