Observe Gaia status change and update advanced protection state.

Add AdvancedProtectionStatusManager class to observe signin and gaia account events, and update advanced protection state accordingly. Bug: 866620 Change-Id: I28453160d030aea9080f8f8c30ad2162aa18372f Reviewed-on: https://chromium-review.googlesource.com/1157560 Commit-Queue: Jialiu Lin <jialiul@chromium.org> Reviewed-by: Varun Khaneja <vakh@chromium.org> Cr-Commit-Position: refs/heads/master@{#583134}

Observe Gaia status change and update advanced protection state.
Add AdvancedProtectionStatusManager class to observe signin and gaia account events, and update advanced protection state accordingly. Bug: 866620 Change-Id: I28453160d030aea9080f8f8c30ad2162aa18372f Reviewed-on: https://chromium-review.googlesource.com/1157560 Commit-Queue: Jialiu Lin <jialiul@chromium.org> Reviewed-by: Varun Khaneja <vakh@chromium.org> Cr-Commit-Position: refs/heads/master@{#583134}
fea1d5fd · Jialiu Lin · Commit Bot · e6ef7670 · fea1d5fd · fea1d5fd
Commit fea1d5fd authored Aug 15, 2018 by Jialiu Lin Committed by Commit Bot Aug 15, 2018
11 changed files
--- a/chrome/browser/safe_browsing/BUILD.gn
+++ b/chrome/browser/safe_browsing/BUILD.gn
@@ -213,12 +213,14 @@ static_library("safe_browsing") {
        "signature_evaluator_mac.mm",
      ]
      deps += [
+        ":advanced_protection",
        "//chrome/services/file_util/public/cpp",
        "//components/content_settings/core/browser:browser",
        "//components/language/core/common:common",
        "//components/prefs:prefs",
        "//components/safe_browsing/db:db",
        "//components/security_interstitials/content:security_interstitial_page",
+        "//components/signin/core/browser:browser",
        "//content/public/browser:browser",
        "//net:net",
      ]
@@ -236,3 +238,20 @@ static_library("safe_browsing") {
    }
  }
 }
+static_library("advanced_protection") {
+  sources = [
+    "advanced_protection_status_manager.cc",
+    "advanced_protection_status_manager.h",
+    "advanced_protection_status_manager_factory.cc",
+    "advanced_protection_status_manager_factory.h",
+  ]
+  deps = [
+    "//components/prefs:prefs",
+    "//components/safe_browsing/common:common",
+    "//components/safe_browsing/common:safe_browsing_prefs",
+    "//components/signin/core/browser:browser",
+    "//content/public/browser:browser",
+  ]
+}
--- a/chrome/browser/safe_browsing/advanced_protection_status_manager.cc
+++ b/chrome/browser/safe_browsing/advanced_protection_status_manager.cc
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "chrome/browser/safe_browsing/advanced_protection_status_manager.h"
+#include "base/feature_list.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/safe_browsing/advanced_protection_status_manager_factory.h"
+#include "chrome/browser/signin/account_tracker_service_factory.h"
+#include "chrome/browser/signin/signin_manager_factory.h"
+#include "components/prefs/pref_service.h"
+#include "components/safe_browsing/common/safe_browsing_prefs.h"
+#include "components/safe_browsing/features.h"
+#include "components/signin/core/browser/signin_manager.h"
+#include "content/public/browser/browser_context.h"
+namespace safe_browsing {
+namespace {
+const base::TimeDelta kRefreshAdvancedProtectionDelay =
+    base::TimeDelta::FromDays(1);
+// If |info| matches the primary account of |profile|.
+bool IsPrimaryAccount(Profile* profile, const AccountInfo& info) {
+  SigninManagerBase* signin_manager =
+      SigninManagerFactory::GetForProfileIfExists(profile);
+  return signin_manager && !info.account_id.empty() &&
+         info.account_id == signin_manager->GetAuthenticatedAccountId();
+}
+}  // namespace
+AdvancedProtectionStatusManager::AdvancedProtectionStatusManager(
+    Profile* profile)
+    : profile_(profile), is_under_advanced_protection_(false) {
+  // Retrieves advanced protection service status from primary account's info.
+  if (!profile_->IsOffTheRecord()) {
+    AccountInfo info = SigninManagerFactory::GetForProfileIfExists(profile)
+                           ->GetAuthenticatedAccountInfo();
+    // Initializes advanced protection status if user's signed-in.
+    if (!info.account_id.empty()) {
+      is_under_advanced_protection_ = info.is_under_advanced_protection;
+      primary_account_gaia_ = info.gaia;
+    }
+    last_refreshed_ = base::Time::FromDeltaSinceWindowsEpoch(
+        base::TimeDelta::FromMicroseconds(profile_->GetPrefs()->GetInt64(
+            prefs::kAdvancedProtectionLastRefreshInUs)));
+  }
+  SubscribeToSigninEvents();
+}
+// static
+bool AdvancedProtectionStatusManager::IsEnabled() {
+  return base::FeatureList::IsEnabled(kAdvancedProtectionStatusFeature);
+}
+void AdvancedProtectionStatusManager::Shutdown() {
+  CancelFutureRefresh();
+  UnsubscribeFromSigninEvents();
+}
+AdvancedProtectionStatusManager::~AdvancedProtectionStatusManager() {}
+void AdvancedProtectionStatusManager::SubscribeToSigninEvents() {
+  AccountTrackerServiceFactory::GetForProfile(profile_)->AddObserver(this);
+  SigninManagerFactory::GetForProfile(profile_)->AddObserver(this);
+}
+void AdvancedProtectionStatusManager::UnsubscribeFromSigninEvents() {
+  AccountTrackerServiceFactory::GetForProfile(profile_)->RemoveObserver(this);
+  SigninManagerFactory::GetForProfile(profile_)->RemoveObserver(this);
+}
+void AdvancedProtectionStatusManager::OnAccountUpdated(
+    const AccountInfo& info) {
+  // Ignore update if |profile_| is in incognito mode, or the updated account
+  // is not the primary account.
+  if (profile_->IsOffTheRecord() || !IsPrimaryAccount(profile_, info))
+    return;
+  if (!is_under_advanced_protection_ && info.is_under_advanced_protection) {
+    // User just enrolled into advanced protection.
+    OnAdvancedProtectionEnabled();
+  } else if (is_under_advanced_protection_ &&
+             !info.is_under_advanced_protection) {
+    // User's no longer in advanced protection.
+    OnAdvancedProtectionDisabled();
+  }
+}
+void AdvancedProtectionStatusManager::OnAccountRemoved(
+    const AccountInfo& info) {
+  if (profile_->IsOffTheRecord())
+    return;
+  // If user signed out primary account, cancel refresh.
+  if (!primary_account_gaia_.empty() && primary_account_gaia_ == info.gaia) {
+    primary_account_gaia_.clear();
+    OnAdvancedProtectionDisabled();
+  }
+}
+void AdvancedProtectionStatusManager::GoogleSigninSucceeded(
+    const AccountInfo& account_info) {
+  primary_account_gaia_ = account_info.gaia;
+  if (!is_under_advanced_protection_ &&
+      account_info.is_under_advanced_protection) {
+    OnAdvancedProtectionEnabled();
+  }
+}
+void AdvancedProtectionStatusManager::GoogleSignedOut(
+    const AccountInfo& account_info) {
+  if (primary_account_gaia_ == account_info.gaia)
+    primary_account_gaia_.clear();
+  OnAdvancedProtectionDisabled();
+}
+void AdvancedProtectionStatusManager::OnAdvancedProtectionEnabled() {
+  UpdateLastRefreshTime();
+  is_under_advanced_protection_ = true;
+  ScheduleNextRefresh();
+}
+void AdvancedProtectionStatusManager::OnAdvancedProtectionDisabled() {
+  if (!is_under_advanced_protection_)
+    return;
+  is_under_advanced_protection_ = false;
+  CancelFutureRefresh();
+}
+void AdvancedProtectionStatusManager::RefreshAdvancedProtectionStatus() {
+  // To Be Implemented.
+}
+void AdvancedProtectionStatusManager::
+    RefreshAdvancedProtectionStatusAndScheduleNext() {
+  DCHECK(is_under_advanced_protection_);
+  RefreshAdvancedProtectionStatus();
+  UpdateLastRefreshTime();
+  if (is_under_advanced_protection_)
+    ScheduleNextRefresh();
+}
+void AdvancedProtectionStatusManager::ScheduleNextRefresh() {
+  CancelFutureRefresh();
+  const base::TimeDelta time_since_last_refresh =
+      base::Time::Now() - last_refreshed_;
+  if (time_since_last_refresh > kRefreshAdvancedProtectionDelay) {
+    RefreshAdvancedProtectionStatus();
+  } else {
+    timer_.Start(FROM_HERE,
+                 kRefreshAdvancedProtectionDelay - time_since_last_refresh,
+                 this,
+                 &AdvancedProtectionStatusManager::
+                     RefreshAdvancedProtectionStatusAndScheduleNext);
+  }
+}
+void AdvancedProtectionStatusManager::CancelFutureRefresh() {
+  if (timer_.IsRunning())
+    timer_.Stop();
+}
+void AdvancedProtectionStatusManager::UpdateLastRefreshTime() {
+  last_refreshed_ = base::Time::Now();
+  profile_->GetPrefs()->SetInt64(
+      prefs::kAdvancedProtectionLastRefreshInUs,
+      last_refreshed_.ToDeltaSinceWindowsEpoch().InMicroseconds());
+}
+// static
+bool AdvancedProtectionStatusManager::IsUnderAdvancedProtection(
+    Profile* profile) {
+  // Advanced protection is off for incognito mode.
+  if (profile->IsOffTheRecord())
+    return false;
+  return AdvancedProtectionStatusManagerFactory::GetInstance()
+      ->GetForBrowserContext(static_cast<content::BrowserContext*>(profile))
+      ->is_under_advanced_protection();
+}
+}  // namespace safe_browsing
--- a/chrome/browser/safe_browsing/advanced_protection_status_manager.h
+++ b/chrome/browser/safe_browsing/advanced_protection_status_manager.h
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#ifndef CHROME_BROWSER_SAFE_BROWSING_ADVANCED_PROTECTION_STATUS_MANAGER_H_
+#define CHROME_BROWSER_SAFE_BROWSING_ADVANCED_PROTECTION_STATUS_MANAGER_H_
+#include "base/timer/timer.h"
+#include "components/keyed_service/core/keyed_service.h"
+#include "components/signin/core/browser/account_tracker_service.h"
+#include "components/signin/core/browser/signin_manager_base.h"
+class Profile;
+namespace safe_browsing {
+// Responsible for keeping track of advanced protection status of the sign-in
+// profile.
+// Note that for profile that is not signed-in or is in incognito mode, we
+// consider it NOT under advanced protection.
+class AdvancedProtectionStatusManager : public KeyedService,
+                                        public AccountTrackerService::Observer,
+                                        public SigninManagerBase::Observer {
+ public:
+  explicit AdvancedProtectionStatusManager(Profile* profile);
+  ~AdvancedProtectionStatusManager() override;
+  // If |kAdvancedProtectionStatusFeature| is enabled.
+  static bool IsEnabled();
+  // If the primary account of |profile| is under advanced protection.
+  static bool IsUnderAdvancedProtection(Profile* profile);
+  bool is_under_advanced_protection() const {
+    return is_under_advanced_protection_;
+  }
+  // KeyedService:
+  void Shutdown() override;
+  // Subscribes to sign-in events.
+  void SubscribeToSigninEvents();
+  // Subscribes from sign-in events.
+  void UnsubscribeFromSigninEvents();
+ private:
+  // AccountTrackerService::Observer implementations.
+  void OnAccountUpdated(const AccountInfo& info) override;
+  void OnAccountRemoved(const AccountInfo& info) override;
+  // SigninManagerBase::Observer implementations.
+  void GoogleSigninSucceeded(const AccountInfo& account_info) override;
+  void GoogleSignedOut(const AccountInfo& account_info) override;
+  void OnAdvancedProtectionEnabled();
+  void OnAdvancedProtectionDisabled();
+  // Requests Gaia refresh token to obtain advanced protection status.
+  void RefreshAdvancedProtectionStatus();
+  // Requests advanced protection status and schedule next refresh.
+  void RefreshAdvancedProtectionStatusAndScheduleNext();
+  // Starts a timer to schedule next refresh.
+  void ScheduleNextRefresh();
+  // Cancels any status refresh in the future.
+  void CancelFutureRefresh();
+  // Sets |last_refresh_| to now and persists it.
+  void UpdateLastRefreshTime();
+  Profile* const profile_;
+  // Is the profile account under advanced protection.
+  bool is_under_advanced_protection_;
+  // Gaia ID of the primary account of |profile_|. If this profile is not signed
+  // in, this field will be empty.
+  std::string primary_account_gaia_;
+  base::OneShotTimer timer_;
+  base::Time last_refreshed_;
+};
+}  // namespace safe_browsing
+#endif  // CHROME_BROWSER_SAFE_BROWSING_ADVANCED_PROTECTION_STATUS_MANAGER_H_
--- a/chrome/browser/safe_browsing/advanced_protection_status_manager_factory.cc
+++ b/chrome/browser/safe_browsing/advanced_protection_status_manager_factory.cc
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "chrome/browser/safe_browsing/advanced_protection_status_manager_factory.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/safe_browsing/advanced_protection_status_manager.h"
+#include "chrome/browser/signin/account_tracker_service_factory.h"
+#include "chrome/browser/signin/signin_manager_factory.h"
+#include "components/keyed_service/content/browser_context_dependency_manager.h"
+#include "components/signin/core/browser/signin_manager.h"
+#include "content/public/browser/browser_context.h"
+namespace safe_browsing {
+// static
+AdvancedProtectionStatusManager*
+AdvancedProtectionStatusManagerFactory::GetForBrowserContext(
+    content::BrowserContext* context) {
+  return static_cast<AdvancedProtectionStatusManager*>(
+      GetInstance()->GetServiceForBrowserContext(context, /* create= */ true));
+}
+// static
+AdvancedProtectionStatusManagerFactory*
+AdvancedProtectionStatusManagerFactory::GetInstance() {
+  return base::Singleton<AdvancedProtectionStatusManagerFactory>::get();
+}
+AdvancedProtectionStatusManagerFactory::AdvancedProtectionStatusManagerFactory()
+    : BrowserContextKeyedServiceFactory(
+          "AdvancedProtectionStatusManager",
+          BrowserContextDependencyManager::GetInstance()) {
+  DependsOn(AccountTrackerServiceFactory::GetInstance());
+  DependsOn(SigninManagerFactory::GetInstance());
+}
+AdvancedProtectionStatusManagerFactory::
+    ~AdvancedProtectionStatusManagerFactory() {}
+KeyedService* AdvancedProtectionStatusManagerFactory::BuildServiceInstanceFor(
+    content::BrowserContext* context) const {
+  return new AdvancedProtectionStatusManager(
+      Profile::FromBrowserContext(context));
+}
+bool AdvancedProtectionStatusManagerFactory::
+    ServiceIsCreatedWithBrowserContext() const {
+  return true;
+}
+bool AdvancedProtectionStatusManagerFactory::ServiceIsNULLWhileTesting() const {
+  // TODO(jialiul): Change this to 'false' when this class is wired into Chrome.
+  return true;
+}
+}  // namespace safe_browsing
--- a/chrome/browser/safe_browsing/advanced_protection_status_manager_factory.h
+++ b/chrome/browser/safe_browsing/advanced_protection_status_manager_factory.h
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#ifndef CHROME_BROWSER_SAFE_BROWSING_ADVANCED_PROTECTION_STATUS_MANAGER_FACTORY_H_
+#define CHROME_BROWSER_SAFE_BROWSING_ADVANCED_PROTECTION_STATUS_MANAGER_FACTORY_H_
+#include "base/memory/singleton.h"
+#include "components/keyed_service/content/browser_context_keyed_service_factory.h"
+namespace content {
+class BrowserContext;
+}
+namespace safe_browsing {
+class AdvancedProtectionStatusManager;
+// Responsible for keeping track of advanced protection status of the sign-in
+// profile.
+class AdvancedProtectionStatusManagerFactory
+    : public BrowserContextKeyedServiceFactory {
+ public:
+  static AdvancedProtectionStatusManager* GetForBrowserContext(
+      content::BrowserContext* context);
+  static AdvancedProtectionStatusManagerFactory* GetInstance();
+ private:
+  friend struct base::DefaultSingletonTraits<
+      AdvancedProtectionStatusManagerFactory>;
+  AdvancedProtectionStatusManagerFactory();
+  ~AdvancedProtectionStatusManagerFactory() override;
+  // BrowserContextKeyedServiceFactory:
+  KeyedService* BuildServiceInstanceFor(
+      content::BrowserContext* context) const override;
+  bool ServiceIsCreatedWithBrowserContext() const override;
+  bool ServiceIsNULLWhileTesting() const override;
+};
+}  // namespace safe_browsing
+#endif  // CHROME_BROWSER_SAFE_BROWSING_ADVANCED_PROTECTION_STATUS_MANAGER_FACTORY_H_
--- a/chrome/browser/safe_browsing/advanced_protection_status_manager_unittest.cc
+++ b/chrome/browser/safe_browsing/advanced_protection_status_manager_unittest.cc
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "chrome/browser/safe_browsing/advanced_protection_status_manager.h"
+#include "chrome/browser/safe_browsing/advanced_protection_status_manager_factory.h"
+#include "chrome/browser/signin/account_tracker_service_factory.h"
+#include "chrome/browser/signin/fake_signin_manager_builder.h"
+#include "chrome/browser/signin/signin_manager_factory.h"
+#include "chrome/test/base/testing_profile.h"
+#include "components/prefs/pref_service.h"
+#include "components/safe_browsing/common/safe_browsing_prefs.h"
+#include "components/signin/core/browser/account_tracker_service.h"
+#include "content/public/test/test_browser_thread_bundle.h"
+#include "testing/gtest/include/gtest/gtest.h"
+namespace safe_browsing {
+namespace {
+class AdvancedProtectionStatusManagerTest : public testing::Test {
+ public:
+  AdvancedProtectionStatusManagerTest() {
+    TestingProfile::Builder builder;
+    builder.AddTestingFactory(SigninManagerFactory::GetInstance(),
+                              BuildFakeSigninManagerBase);
+    testing_profile_.reset(builder.Build().release());
+    fake_signin_manager_ = static_cast<FakeSigninManagerForTesting*>(
+        SigninManagerFactory::GetForProfile(testing_profile_.get()));
+    account_tracker_service_ =
+        AccountTrackerServiceFactory::GetForProfile(testing_profile_.get());
+  }
+  ~AdvancedProtectionStatusManagerTest() override {}
+#if !defined(OS_CHROMEOS)
+  std::string SignIn(const std::string& gaia_id,
+                     const std::string& email,
+                     bool is_under_advanced_protection) {
+    AccountInfo account_info;
+    account_info.gaia = gaia_id;
+    account_info.email = email;
+    account_info.is_under_advanced_protection = is_under_advanced_protection;
+    std::string account_id =
+        account_tracker_service_->SeedAccountInfo(account_info);
+    fake_signin_manager_->SignIn(gaia_id, email, "password");
+    return account_id;
+  }
+#endif
+ protected:
+  content::TestBrowserThreadBundle thread_bundle;
+  std::unique_ptr<TestingProfile> testing_profile_;
+  FakeSigninManagerForTesting* fake_signin_manager_;
+  AccountTrackerService* account_tracker_service_;
+};
+}  // namespace
+#if !defined(OS_CHROMEOS)
+TEST_F(AdvancedProtectionStatusManagerTest, SignInAndSignOutEvent) {
+  AdvancedProtectionStatusManager aps_manager(testing_profile_.get());
+  ASSERT_FALSE(aps_manager.is_under_advanced_protection());
+  SignIn("gaia_id", "email", /* is_under_advanced_protection = */ true);
+  EXPECT_TRUE(aps_manager.is_under_advanced_protection());
+  fake_signin_manager_->ForceSignOut();
+  EXPECT_FALSE(aps_manager.is_under_advanced_protection());
+  aps_manager.UnsubscribeFromSigninEvents();
+}
+TEST_F(AdvancedProtectionStatusManagerTest, AccountRemoval) {
+  AdvancedProtectionStatusManager aps_manager(testing_profile_.get());
+  ASSERT_FALSE(aps_manager.is_under_advanced_protection());
+  std::string account_id =
+      SignIn("gaia_id", "email", /* is_under_advanced_protection = */ false);
+  EXPECT_FALSE(aps_manager.is_under_advanced_protection());
+  account_tracker_service_->SetIsAdvancedProtectionAccount(
+      account_id, /* is_under_advanced_protection= */ true);
+  EXPECT_TRUE(aps_manager.is_under_advanced_protection());
+  account_tracker_service_->RemoveAccount(account_id);
+  EXPECT_FALSE(aps_manager.is_under_advanced_protection());
+  aps_manager.UnsubscribeFromSigninEvents();
+}
+#endif
+}  // namespace safe_browsing
--- a/chrome/test/BUILD.gn
+++ b/chrome/test/BUILD.gn
@@ -3884,6 +3884,7 @@ test("unit_tests") {
  if (safe_browsing_mode == 1) {
    # TODO(sgurun): enable tests for safe_browsing==2.
    sources += [
+      "../browser/safe_browsing/advanced_protection_status_manager_unittest.cc",
      "../browser/safe_browsing/browser_feature_extractor_unittest.cc",
      "../browser/safe_browsing/chrome_password_protection_service_unittest.cc",
      "../browser/safe_browsing/client_side_detection_host_unittest.cc",

--- a/components/safe_browsing/common/safe_browsing_prefs.cc
+++ b/components/safe_browsing/common/safe_browsing_prefs.cc
@@ -184,6 +184,8 @@ const char kPasswordProtectionLoginURLs[] =
    "safebrowsing.password_protection_login_urls";
 const char kPasswordProtectionWarningTrigger[] =
    "safebrowsing.password_protection_warning_trigger";
+const char kAdvancedProtectionLastRefreshInUs[] =
+    "safebrowsing.advanced_protection_last_refresh";
 }  // namespace prefs
 namespace safe_browsing {
@@ -292,6 +294,7 @@ void RegisterProfilePrefs(PrefRegistrySimple* registry) {
  registry->RegisterListPref(prefs::kPasswordProtectionLoginURLs);
  registry->RegisterIntegerPref(prefs::kPasswordProtectionWarningTrigger,
                                PASSWORD_PROTECTION_OFF);
+  registry->RegisterInt64Pref(prefs::kAdvancedProtectionLastRefreshInUs, 0);
 }
 void RegisterLocalStatePrefs(PrefRegistrySimple* registry) {

--- a/components/safe_browsing/common/safe_browsing_prefs.h
+++ b/components/safe_browsing/common/safe_browsing_prefs.h
@@ -83,6 +83,10 @@ extern const char kPasswordProtectionLoginURLs[];
 // by enterprise policy and has no effect on users who are not managed by
 // enterprise policy.
 extern const char kPasswordProtectionWarningTrigger[];
+// Last time Chrome refreshes advanced protection status for sign-in users (in
+// microseconds);
+extern const char kAdvancedProtectionLastRefreshInUs[];
 }
 namespace safe_browsing {

--- a/components/safe_browsing/features.cc
+++ b/components/safe_browsing/features.cc
@@ -22,6 +22,9 @@ namespace safe_browsing {
 const base::Feature kAdSamplerTriggerFeature{"SafeBrowsingAdSamplerTrigger",
                                             base::FEATURE_DISABLED_BY_DEFAULT};
+const base::Feature kAdvancedProtectionStatusFeature{
+    "AdvancedProtectionStatus", base::FEATURE_DISABLED_BY_DEFAULT};
 // Controls the billing interstitial UI.
 const base::Feature kBillingInterstitial{"BillingInterstitial",
                                         base::FEATURE_DISABLED_BY_DEFAULT};
@@ -36,25 +39,25 @@ const base::Feature kCheckByURLLoaderThrottle{
    "S13nSafeBrowsingCheckByURLLoaderThrottle",
    base::FEATURE_DISABLED_BY_DEFAULT};
-const base::Feature kThreatDomDetailsTagAndAttributeFeature{
+const base::Feature kEnterprisePasswordProtectionV1{
-    "ThreatDomDetailsTagAttributes", base::FEATURE_DISABLED_BY_DEFAULT};
+    "EnterprisePasswordProtectionV1", base::FEATURE_ENABLED_BY_DEFAULT};
+const base::Feature kForceEnableResetPasswordWebUI{
+    "ForceEnableResetPasswordWebUI", base::FEATURE_DISABLED_BY_DEFAULT};
+const base::Feature kInspectDownloadedRarFiles{
+    "InspectDownloadedRarFiles", base::FEATURE_DISABLED_BY_DEFAULT};
 const base::Feature kSuspiciousSiteTriggerQuotaFeature{
    "SafeBrowsingSuspiciousSiteTriggerQuota", base::FEATURE_ENABLED_BY_DEFAULT};
+const base::Feature kThreatDomDetailsTagAndAttributeFeature{
+    "ThreatDomDetailsTagAttributes", base::FEATURE_DISABLED_BY_DEFAULT};
 const base::Feature kTriggerThrottlerDailyQuotaFeature{
    "SafeBrowsingTriggerThrottlerDailyQuota",
    base::FEATURE_DISABLED_BY_DEFAULT};
-const base::Feature kInspectDownloadedRarFiles{
-    "InspectDownloadedRarFiles", base::FEATURE_DISABLED_BY_DEFAULT};
-const base::Feature kEnterprisePasswordProtectionV1{
-    "EnterprisePasswordProtectionV1", base::FEATURE_ENABLED_BY_DEFAULT};
-const base::Feature kForceEnableResetPasswordWebUI{
-    "ForceEnableResetPasswordWebUI", base::FEATURE_DISABLED_BY_DEFAULT};
 namespace {
 // List of experimental features. Boolean value for each list member should be
 // set to true if the experiment is currently running at a probability other
@@ -65,6 +68,7 @@ constexpr struct {
  bool probabilistically_enabled;
 } kExperimentalFeatures[]{
    {&kAdSamplerTriggerFeature, false},
+    {&kAdvancedProtectionStatusFeature, true},
    {&kBillingInterstitial, false},
    {&kCheckByURLLoaderThrottle, true},
    {&kForceEnableResetPasswordWebUI, true},

--- a/components/safe_browsing/features.h
+++ b/components/safe_browsing/features.h
@@ -20,11 +20,29 @@ class ListValue;
 namespace safe_browsing {
 // Features list
 extern const base::Feature kAdSamplerTriggerFeature;
-extern const base::Feature kCheckByURLLoaderThrottle;
+// Controls the safe browsing protection for advanced protection program.
+extern const base::Feature kAdvancedProtectionStatusFeature;
 // Controls the billing interstitial UI.
 extern const base::Feature kBillingInterstitial;
+extern const base::Feature kCheckByURLLoaderThrottle;
+// Controls the Password Protection for Enterprise V1 feature;
+extern const base::Feature kEnterprisePasswordProtectionV1;
+// Forces the chrome://reset-password page to be shown for review or testing
+// purpose.
+extern const base::Feature kForceEnableResetPasswordWebUI;
+// Controls whether .rar files downloaded by the user are inspected for being
+// unsafe.
+extern const base::Feature kInspectDownloadedRarFiles;
+// Controls the daily quota for the suspicious site trigger.
+extern const base::Feature kSuspiciousSiteTriggerQuotaFeature;
 // Specifies which non-resource HTML Elements to collect based on their tag and
 // attributes. It's a single param containing a comma-separated list of pairs.
 // For example: "tag1,id,tag1,height,tag2,foo" - this will collect elements with
@@ -33,9 +51,6 @@ extern const base::Feature kBillingInterstitial;
 // be lower case.
 extern const base::Feature kThreatDomDetailsTagAndAttributeFeature;
-// Controls the daily quota for the suspicious site trigger.
-extern const base::Feature kSuspiciousSiteTriggerQuotaFeature;
 // Controls the daily quota for data collection triggers. It's a single param
 // containing a comma-separated list of pairs. The format of the param is
 // "T1,Q1,T2,Q2,...Tn,Qn", where Tx is a TriggerType and Qx is how many reports
@@ -46,17 +61,6 @@ extern const base::Feature kSuspiciousSiteTriggerQuotaFeature;
 // trials simultaneously.
 extern const base::Feature kTriggerThrottlerDailyQuotaFeature;
-// Controls whether .rar files downloaded by the user are inspected for being
-// unsafe.
-extern const base::Feature kInspectDownloadedRarFiles;
-// Controls the Password Protection for Enterprise V1 feature;
-extern const base::Feature kEnterprisePasswordProtectionV1;
-// Forces the chrome://reset-password page to be shown for review or testing
-// purpose.
-extern const base::Feature kForceEnableResetPasswordWebUI;
 base::ListValue GetFeatureStatusList();
 }  // namespace safe_browsing